December 11, 2024 • 62 mins
The California Consumer Privacy Act went into effect on January 1, 2020 and has inspired countless other US States to implement their own privacy laws. But what has happened since 2020? This webinar will give an overview of what you need to know about the CCPA, significant amendments from the CPRA effective in 2023, and how recent changes to the CCPA Regulations and subsequent enforcement actions have pushed California privacy law to the forefront of privacy rights nationwide and internationally.
Audio versions of Beverly Hills Bar Association programs are eligible for Self-Study CLE credit in California. Visit www.bhba.org/podcasts for more information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Good afternoon, everyone, and welcome to nuts and bolts of CCPA and CRCPRA, California
(00:13):
Privacy Law. My name is Belinda McCauley, and I'm the Executive Director of the Beverly
Hills Bar Association, and I am very happy to be here today to introduce our speaker,
Diana Iketani-Iorlano. Diana is the founder and managing attorney of Iketani Law Corporation
in El Cidendo. She is a seasoned privacy lawyer, litigator, and outside general counsel with
(00:34):
more than 25 years of experience advising businesses of all sizes across various industries.
A fellow of information privacy through the IAPP and certified in multiple privacy disciplines,
she is a thought leader in privacy, cybersecurity, and data security compliance. Diana frequently
speaks on these topics, conducts trainings, and mentors aspiring attorneys. Her presentations
(00:56):
for BHBA always get rave reviews, and we so appreciate that she agreed to return to do
this installment of our nuts and bolts series. So with that, Diana, we really look forward
to learning from you today, and I turn the Zoom floor over to you.
Thanks so much, Belinda, and thank you to the Beverly Hills Bar Association for having
(01:16):
me back. It is one of the best places to speak and to gain information. I am an avid
consumer of your MCLEs, and I encourage everybody else to check out the library and see what
else there is in there that you can learn about. But I'm thrilled to be here to introduce
the nuts and bolts of CCPA, the California Consumer Privacy Act, and CPRA, the California
(01:39):
Privacy Right. We did one of these webinars back in 2020 when the CCPA was brand new,
and we're here to update that and tell you what's been happening in the world of privacy.
So, for the first time in a while, we're here to give you some guidelines and teach you
what you need to know to help your own clients, or if you are a client, what questions you
(02:02):
need to ask your lawyers. And then a lot of people have reached out to me to say, hey,
how do I get into privacy? So we're going to touch on that as well and really talk about
what being a privacy lawyer means in the practical application, and then just in sort of what
knowledge base you need to have. So I'm going to jump into the slides here, and we'll keep
(02:26):
going. So just a bit of housekeeping, the CLE certificates, there's some information
in the chat, but also they're going to be sent to you right after you finish this program.
And if there are evaluations, I would also welcome any of your feedback in an evaluation
that you can provide to me. Tell me what content you might like in the future. That'd
be great. So today we're going to talk about CCPA and CPRA. I've really got about 45 minutes
(02:51):
worth of information on this topic, and then I'm going to open it up for a Q&A at the end
so that your burning privacy questions can be answered. But we're going to talk through
the overview of the actual law, what compliance looks like, how does it affect other industries,
different industries. You know, if you have an e-commerce client, it's going to affect
(03:12):
them a lot differently than if you have a legal professional whose website that just
kind of needs to be updated. We're going to talk a little bit about enforcement. There's
very limited published enforcement decisions right now. We'll talk through some of those
and sort of talk about what the future is, what we see as where the areas of enforcement
will be in the future for CCPA, but also privacy enforcement in general. And then I'll just
(03:37):
do a quick summary and then we'll have Q&A. So I'm going to jump into this. This is me.
I'm Diana Iketani-Irolano. I have been practicing since 1997 in Los Angeles in the Graduate
of USC Law School. I hold, as Belinda said, the Fellow of Information Privacy. These certifications
on the left are all from the International Association of Privacy Professionals, IAPP.org.
(04:00):
Many of you have heard of the organization. Maybe you've even attended seminars and events
that they hold that they are sort of the preeminent privacy certification organization. There
are many, many others that pop up all the time. But I hold the CIPP for U.S. that's Certified
(04:21):
Information Privacy Professional for the U.S., for E, and for ESA. And then I also hold the
Certified Information Privacy Program Management Certification. These are not necessary. You
don't have to have these to practice in privacy. But it is helpful. And I'll talk a little
bit about that when we talk about what it means to be a privacy lawyer. So I'll jump
(04:45):
right in. CCPA stands for the California Consumer Privacy Act. It was passed in 2018
and went into effect in 2020. And it was the first comprehensive state privacy law in the
nation. We had just come on the heels of the GDPR in Europe, General Data Protection Regulation,
and then California said, hey, we want to get in on that. So California came out with
(05:09):
a law that was pretty hastily passed. So it got passed and it was the series of a very
quick set of negotiations. And so there were some flaws with the initial law. And then
they tried to iron some of those out with the California Privacy Rights Act, which amended
the CCPA. So when we started out with the CCPA, there were certain definitions that
(05:36):
were there. What businesses fall under the CCPA? And there were thresholds of 25 million
or more in annual revenue. It was unclear in the first incantation of the law, whether
that was worldwide revenues, just California revenues, or what it was. It applied to 500,
(05:56):
if you had the data of 500,000 or more, I'm sorry, actually, that's the type of it's 50,000
or more data subjects. And whether you had 50% or more of your revenue being derived from
selling or sharing information. The consumers that were affected were California residents,
(06:20):
people who were here for anything other than just a transitory purpose. And the definition
of personal information wasn't exactly aligned with personally identifiable information that
had been defined in the GDPR. So personal information here included names, addresses,
email addresses, but it also included IP addresses, any sort of identifier that went with the
(06:44):
device. And so it was a much more encompassing definition of personal information. It also
had a definition of sale of information, which was giving information to a business or a
third party for monetary or other valuable consideration was kind of vague on what that
meant. And who were third parties service providers were defined, there are people that
(07:06):
you had to have a written contract with that were providing a service to you. And that
you could share information with because you had a written contract and the written contract
had to contain certain things. The third parties were people that you didn't have a
contract with. And so it encompassed a lot of people that we may share information with
that aren't providing a given service to us as a business. The early version of the CCPA,
(07:32):
the 2020 version, excluded employee data because employees and business to business data, they
weren't consumers. So that exclusion, though, would eventually disappear and sunset out.
But it gave important privacy rights to consumers in California, the right to know what information
(07:52):
was being collected about them, the right to access that data, the right to delete that
data, the right to opt out of the sale, the right to non-discrimination. And it introduced
this concept of a global privacy control, which we'll talk about a little bit later
as well. But the idea that there should be a setting that people can set to tell businesses
(08:15):
that they visit on the internet that they don't want to have their information sold.
The technology was not quite where the law was. And we'll talk about that. That's an
ongoing problem with privacy is that typically the technology is going to outpace the law.
Here the law sort of outpaced the technology where one of the creators of the CCPA, I heard
(08:40):
him speak recently and he said, I just think that there should be one button you can push.
And this theme is going to be ongoing. One button that you can push to opt out of things,
to make it a seamless consumer experience on the web. And we just don't have that as
of yet. But maybe it's coming. The CCPA also required reasonable data security. The minimum
(09:02):
you had to have was a written information security program and an incident response
plan. So those were sort of the minimums, but reasonable, like we all know if you're
an attorney, you know, from law school, the reasonable person standard, we try to define
that. But maybe there's a little wiggle room there. So the big issue that CCPA introduced
(09:26):
was the private right of action. But the private right of action for an individual to sue under
the CCPA only was limited to if a company had had a data breach, then an individual could
sue for a violation of the CCPA. But you can bet that when they were going to sue for a
violation of the CCPA due to a data breach, they might say, and by the way, you didn't
(09:49):
comply with the CCPA in all of these other ways. I'm a former litigator, I litigated
for 20 years before opening my own firm. I was at a big firm in West Los Angeles. And
you know, as we all know as litigators, what happens is that a predicate violation of an
underlying statute can be a violation of an unfair business practice. And so we were all
(10:13):
very worried that a huge rush of unfair business practice, unfair competition types of claims
would arise from strict violations of the CCPA. That didn't end up happening. It's definitely
a component of the privacy litigation. And we'll talk about that. But I think that that's
the risk is still there. So having clients comply with the CCPA as amended by the CPRA
(10:38):
is a really important business step, because if they do suffer a breach, there's kind of
an open door for consumers to come in and sue on these technical violations. And as
we know, there are a lot of agencies, state agencies, federal agencies that want to enforce
individual privacy rights and sort of what they expect of businesses that conduct business
(11:02):
on the internet. So moving to the CPRA, the California Privacy Rights Act, it's not a separate
law. So I just want to make that clear. The CPRA amends the CCPA. So some people will
colloquially call it CCPA 2.0. But really, when you refer to it, it's the CCPA as amended
(11:22):
by the CPRA. So you can keep using CCPA. You don't have to do CCPA, CPRA, even though
that was in the title of our program. We wanted to hook you in with that. But it's the CCPA
as amended. And how it has been amended is that it's still the thresholds are still the
25 million in gross revenue in the preceding calendar year. So that was more helpful to
(11:46):
define what the gross annual revenues were. And it's for businesses that buy, sell, share
personal information of 100,000 or more California residents. So they actually raised the threshold
from 50,000 to 100,000. Or businesses like data brokers that may derive 50% or more of
their annual revenue from selling or sharing consumer personal information. Like I alluded
(12:10):
to, the employee and business to business exceptions ended on January 1, 2023. So that's
new, right? The CCPA applies to employee data. And it applies to even email addresses that
you're connecting and a business to collecting and a business to business context. So it's
much more encompassing. It's much more like GDPR in that way, where it really is just
(12:35):
sort of looked at as a right that everybody, all California residents have. The CPRA also
introduced some new privacy rights, the right to opt out of the sharing of personal information
and to limit certain uses of sensitive personal information. The categories of sensitive personal
information are going to include things like your social security number, some financial
(12:57):
information, it's going to include health information, biometric information, and precise geolocation
information. So if you have clients that have apps that are tracking people, they may be
collecting sensitive personal information. And if they're sharing that with other businesses,
then the CCPA as amended is directly relevant to what they do. And you have to know that
(13:20):
when you're working with a client that may have those types of data collection. The right
to correct inaccurate personal information, we all want that. It should be a fundamental
right, but it just hadn't been articulated before. And then the right to enhance privacy
about what a business does with the information they collect. So how long did they keep it?
(13:41):
The data retention period is very important. And who are they giving it to? And why are
they giving it to that other business? What's the business purpose for sharing information?
It also created miners rights. So typically on the internet, we view people who are over
16 as being able to interact, to contract, to agree to things. Query whether the age
(14:05):
of majority in a specific state may be higher, might be 18, might be 19, might be lower.
But on the internet, for most purposes, we say that kids over 16 can agree to things.
Kids under 16, but over 13 may need to, you may treat them differently. The CPRA said
that they actually have to give affirmative opt-in consent if they're between 13 and 16.
(14:31):
And then for children under 13, 12 and under, we have to obtain parental consent if we want
to send communications to them, if we want to market to them. Typically, there's going
to be no marketing allowed to children who are under 13. But if a child who's 13 to 16
expressly opt-in and says, yes, I want to get that information about my kids into Roblox,
(14:52):
I want to get that information about Roblox, you have to create a mechanism for that. So
if you are a company that is a child facing establishment, a child facing property, you
need to know about the changes to these laws. And another big thing, excuse me, that the
CPRA did was it created a separate agency, the California Privacy and Protection Agency,
(15:14):
that was imbued with the ability to enforce the law too. Now the CCPA is up and running,
it's a functioning organization, they're still having rulemaking and regulation discussions.
And you can get on their mailing list if you want to get more information about the actions
that the CCPA takes. I encourage you to go to their website, it's going to be listed
(15:39):
in the resources that we provide with this, with the materials. But you can get bulletins
and updates on what the CPPA is doing. So that's important. Again, we talked a little
bit about sensitive personal information and what that means. Here's a little bit more
detail about what's included under sensitive personal information. So what I'm hoping to
(16:04):
do with today's webinar is really talk to you about ways that you can also value add
with your existing clients, even if you are not a privacy lawyer, maybe you're a corporate
lawyer, maybe you're a litigator, maybe you're just dealing with a lot of startups and entrepreneurs
who have not so much guidance as to what they need to put into their privacy policies
and what they need to do, or maybe you're helping somebody develop a new product. Having
(16:29):
a background in privacy is really important for that, to understand data collection and
data retention and data minimization, which is the concept that we want to encourage our
clients to collect as little personal information as they need to provide the services that they
provide. Data minimization is a really important concept globally, and it needs to be proportionate.
(16:56):
The way that we handle the data needs to be proportionate to the sensitivity of that data.
So we'll talk a little bit about that as we go on through this. But the CPRA, again,
clarified these obligations on a business, that they had to provide a written notice,
that they had to have retention periods for these things. And if any of you have worked
(17:17):
with corporate clients, they sometimes say, hey, we keep information forever because we
can. Now the CCPA, as amended, says, no, you can't do that anymore. And the data breach
statutes for various states, all 50 states have different data breach statutes, they
say, if you have unencrypted and unredacted information, that's a data breach. So it really
(17:43):
forces us to talk to the clients about what data they're collecting, how long they're
keeping it, and how is it stored? Is it encrypted, or is it just out there? Or is it still in
boxes in a storage room somewhere that no one has gone into for five years? That's part
of the conversation you can have about what kind of information is stale, what kind of
(18:06):
information needs to be destroyed, and can we create a policy, even a prospective policy
of, hey, we're only going to keep this information for X number of years. It's an important conversation
to have with your clients. Deletion requests, do we actually have the ability to delete
someone's information? Is it all stored in the cloud? Is it stored on our servers? Is
(18:31):
it stored in multiple different places where maybe we don't actually know where it goes?
Or are there employees in your company that downloaded a client list and it's residing
on their hard drive that's not connected to the internet or not connected to your server?
It really requires us to look at data hygiene and how clean we're keeping our data. We've
(18:54):
heard things about clients who have clean desk policies where the physical information,
you're not supposed to leave physical information out there for anybody to find. But let's say
you have a client who's using Google Drive to store all of their information and they
didn't know that there were security settings there that could lock the information. And
(19:14):
so an employee sent a link to the information to themselves at their home address and then
forwarded it to somebody else. We find these out sometimes in corporate espionage cases
or an unfortunate departure of somebody from the company. You find out that they've sent
information. But the company should know what data they're collecting and where it's stored
(19:41):
and whether they have adequate security measures to protect that information. When you have
Google Drive, there's a way that people can just send a link. If you don't have the document
lock, they can just send a link to the document to anybody. And if that document contains
sensitive personal information of customers or employees, that could potentially be considered
(20:02):
a data breach. So there's things to think about there. The CPRA also imposes obligations
for contract. So all of you transactional lawyers will love that you do need to add
these terms to your basic MSAs or other agreements or the terms of service or the whatever terms
(20:23):
your customers are agreeing to that talk about the relationship of who the company uses as
a service provider or how they protect information that's provided to contractors or anybody else.
We have to have adequate provisions that prevent those people from using the information for
any other purpose than what we hired them to do. So that language actually is required
(20:48):
to be in the contract. When we look at things like loyalty programs where we may be providing,
the client may be providing a financial incentive, sign up for our newsletter and we'll send
you a 15% off coupon. That happens all the time. We actually have to look at the value
of the financial incentive and the value of the information that they're giving us. And
(21:10):
sometimes we're not able to discriminate against people who give us their information and people
who don't. So the clients may need to think about whether that offers to everybody who
comes onto their website or is it really just tied to people who give their information.
But it's an assessment that we have to do. We talked about the opt-in for minors who
are under 16. It has to be an affirmative opt-in. And traditionally, the United States
(21:37):
has been an opt-out regime where you sign up for something and you put in your email
address and they can send you an email and then you have to affirmatively go and opt
out or unsubscribe. But here it's different. So if you have knowledge that your audience
contains members that are under 16, now you have to figure out a way to find out what
(21:57):
age they are appropriately without collecting too much personal information. And so age
gating, finding a way to restrict access to certain ages, may be part of your business
plan at that point if you have a child-facing property. We also need to make sure that that
consent is freely given. It's informed. So we're going to have to tell them, look, if
(22:21):
you give us your information, here's how we're going to use it. And I think that we, as lawyers,
sometimes we are bogged down by, we need to put all of these things into this policy.
I like to joke that I write things that people never read because I write privacy policies
in terms of use and cookie notices and things that you scroll through and you click. But
(22:45):
I would encourage you, if you're interested in privacy, read what's in there. You will
find out amazing things about what a company can do with your information. Now, you may
not be able to do much with what Apple's new terms of service or the latest iOS update
are going to be, but I think that it will open your eyes as to what you want to be doing
(23:07):
and what consents you want to be giving out or whether you need to take a second look
at a company's privacy policy to learn what they're going to do with your information.
We have to do risk assessments now under the CPRA. Again, we're talking about the proportion
of quality of whether the protection of the information is related to the sensitivity
(23:30):
of the information. I think there's a lot more to privacy than just writing privacy
policies. I'm sure that many of you get asked, hey, can you just write me a privacy policy
or can you just look at what I pulled off the internet and tell me if it's okay? I want
to throw up huge red flags and tell you there's so much more to it than just the privacy policy
(23:56):
and what is the consumer facing part of privacy. Internally, the client actually has to be
doing what they say they're doing in their privacy policy because otherwise it can be
a violation and CPRA, CCPA violations can get quite expensive. As a practitioner, I
(24:19):
want to tell you that privacy is obviously timely. I'm hoping that you walk away today
with some information about ways that you can protect your own privacy, your own data
privacy. Obviously, it's the subject of much news all the time, what's happening in privacy,
what new states are coming out with privacy laws. But it is also creative where you are
(24:41):
crafting solutions to actual problems and maybe acting as more of a business partner
to your client to find out what is the reason why they're collecting this information? Are
they just collecting it because they've always collected it or is there a reason why they
need to keep collecting it and who do they give it to? We have to be creative about looking
(25:02):
at the business reason, not just the legal reason, but also the business reason. But
I'm also here to tell you that privacy is challenging and we'll go into this. This is
one state's law that we are going through and it happens to be one of the most stringent
in the nation, but other states are coming on hot. They're coming in hot with new requirements
(25:26):
and so as a privacy practitioner, you have to look at what's going on internationally,
what's going on in other US states, what is the exposure that your client may have as
a former litigator. I love looking at the risk management parts of it to say, is what
my client has done, is it going to be defensible? Litigators, this applies to you, transactional
(25:52):
lawyers, this applies to you, compliance lawyers, government lawyers, this applies to you. When
we're looking at what businesses do with their privacy policies, with their internal privacy
practices. Okay. Some of the newer things introduced by the CPRA, but not quite fleshed
out yet, are the disclosure of automated decision making technology and then the general idea
(26:20):
that dark patterns are not valid consent. If you have a consent bar that says, I like this
because I've always thought this was a horrible thing to do. You go into a website and they
say, do you want this coupon for 15% off? It says, you know, claim my coupon. The other
button says, no, I don't want to save money. I hate that. It's so offensive to me, but
(26:45):
that's a dark pattern. When you're actually shaming somebody for opting out, right now,
what we need to do is make sure that they're equivalent. So if it's accept, decline, that's
going to be a much better thing than when you're sort of coercing somebody to accept
because you've told them they're an idiot if they don't accept, they decline. So dark
(27:07):
patterns are things where you may be persuading somebody to consent to something because maybe
you're hiding the decline button or the no thanks button is really, really tiny and you
just don't even know where it is and all they want to do is X out of that window, but there's
no X and all that they see is accept. The enforcement agencies are going to look and
(27:29):
say, that's not valid consent. You didn't give them an equivalent option. So we're still
seeing more clarification on what dark patterns may be and other agencies are looking at this
and saying, yeah, you can't do that. Let's just be transparent to people and say, accept
decline. You've probably also come across it when you go to a cookie consent banner that
(27:53):
pops up. And the only option is accept all. And you're like, well, I'm pretty sure I have
the right to decline these, but I don't know how to do it. Or conversely, you get to the
banner that pops up and it says, you know, it's a slider button. And you don't know if
the slider button is it on or is it off? And if it's on, am I accepting the cookies? Or
(28:17):
am I declining the cookies? We as privacy practitioners have to advise the clients on
how to make that really clear and transparent to the users of their website, to their customers.
So there's a lot of things about, you know, website UX user experience issues that that
privacy practitioners have to learn about and have to use to advise our clients adequately
(28:39):
on whether or not it complies with the law. So with the C P R A to, you know, there is,
like I said, the C P P A, the California Privacy and Protection Agency, which is a separate
state agency now charged with enforcing the C C P A as amended. In addition, though, the
California AG's office, the California Attorney General still retains jurisdiction to file
(29:04):
enforcement actions for violations of the C C P A, or, you know, it could be an enforcement
action that also talks about this unfair business practice, this this dark pattern. So you have
two agencies here and then federally, we have the FTC, the Federal Trade Commission wants
in on the action, obviously, these are huge issues of importance. And this is a non partisan
(29:28):
issue to if I might throw in a smidge of politics. These are issues, privacy issues are non
partisan. They are issues that everybody wants. And I'll tell you that children's privacy,
especially is a focus of a lot of these laws and a lot of the legislation that's happening
around the country. Help privacy is also very, very much on the radar. So California also
(29:54):
has, you know, the California Medical Information Act, California has, you know, 50 some odd
privacy laws, in addition to the C C P A. So as a privacy lawyer, you also have to know
what the landscape is of privacy in the state. But these are non partisan issues. So if
someone's going to say, Hey, we have to protect children's privacy, there's a lot of people
(30:16):
who can get behind that. So if your client is again, focused on child facing properties,
they need to understand Kappa, the California or the Children's Online Privacy and Protection
Act, which is a federal law, they need to understand these California laws, they need
to understand laws throughout the world if they're marketing their services to other
(30:38):
countries as well. But I think, you know, some of the major issues with the C C P P A,
and the changes introduced by the C P R A in 2023 are that they're no longer required
to give you notice a safe harbor period. Initially with the C C P A, you would get a letter,
(30:59):
you'd have 30, that's gone. So if your client does receive a letter from one of the state
agencies that says, Hey, we're investigating you, you must be prepared to respond. I think
that that's really important. I'm sorry, I'm just looking at a couple of questions and
I want to encourage you to ask questions. I'm going to go ahead and look at a couple
(31:24):
of answer a couple questions. So one is, does the C C P A C P R A C A A D A and the Kappa
applied to nonprofits, you have to look at the specific statute. So C C P A doesn't apply
to nonprofits, but it might apply to some nonprofit activities. If you are sharing information
(31:45):
that doesn't have anything to do with the operation of your nonprofit, could it apply?
I think you want to do that analysis with your client to say, Hey, are there any other
parts of the business where you are potentially profiting off of the selling or sharing of
information of your, whether it's your donors or your volunteers or things like that. So
(32:06):
I think it can be tricky. Kappa is going to apply to anybody who's directed at minors.
So definitely take a look at that. If you were a nonprofit addressing minors, I would
think you would still want to comply with Kappa, even if it strictly didn't apply to
you. Because like I said, if you're collecting and buying and sharing the information of minors,
(32:33):
that's not a great look. So, you know, are there people who are not going to use your
organization because you haven't had a statement that you comply with these various laws?
Possibly. I will talk at the end about the whole goal of this is to actually provide
a better user, consumer, customer experience where they know that they can trust you because
(32:59):
you've been transparent about how you use information. And this applies to all businesses.
Whether or not you're required to comply with CCPA, you still need to, people still expect
you to have a privacy policy. You still actually have to have one under other California state
laws. But they want to know what you do with their information. And they're kind of expecting
(33:20):
these things to be in a privacy policy now. So the idea of building customer loyalty by
being transparent, that applies to everybody. Small businesses are exempt if there's less
than 25 million in gross revenue. That's correct. The CCPA does not apply. But make sure you
look at those other elements. You know, are you deriving a lot of your business from buying
(33:45):
and selling information? You know, data brokers would still fall under CCPA even if they weren't
25 million dollar companies because they are buying and selling information. So think about
all three. If you're the three elements, the thresholds for CCPA application, if your
client hits any one of those, if your client has 100,000 visitors on their website, maybe
(34:11):
they don't have 100,000 customers, but they have, you know, 300,000 hits or, you know,
10,000 hits a month from California residents, they may well fall under CCPA. So like I said,
privacy is challenging. There's a lot to consider here. And like I said, too, the, the, what
(34:32):
we're seeing is this focus on children's privacy. The CPRA amended the CCPA so that there's
trouble damages for minors who are under the age of 16. So for clients who are in those
areas, I think they really have to do a data privacy impact assessment, the DPIA. Really
look at what information are we collecting, what's our business reason for collecting
(34:55):
it, and have we made that transparent. Or maybe when we assess that information, I'll
give you an example. I've had a client that likes to collect birthday information because
they want to send people, you know, just a nice note on their birth month. And that's
lovely. But we had to answer the question of they were asking for a birthday month and
(35:18):
year. I don't know that they need the year, right? Maybe they need the month only. What's
your birth month? That's a lot less personal information than asking somebody who may are
already have registered with you their name, their email address for their birthday month
and year. I don't think most companies need that information. That being said, maybe if
(35:41):
you're a company that directed it minors and you're age gating, you're trying to figure
out whether they meet the threshold, you might need that information for a year. But talking
to the individual client and say, do you need to have that? Or if it's really just like,
hey, we send you a happy birthday email, maybe you just need the day in the month, maybe
you just need the month and you send them all out on the first of the month. Maybe that's
(36:04):
possible. So thinking about the data minimization is kind of a constant struggle, right? We
constantly have to look because it may be that your client hasn't thought of the ways
they could limit their potential liability. I'm going to run back into the slides. I will
(36:28):
come back to some of the questions that I see in the chat. And then again, we'll have
Q&A at the end. So feel free if you would rather save your questions till later. You
can drop them in there. We'll try to answer them. And then we'll definitely have the Q&A
at the end. What I find really fascinating is that even during this holiday season, I
don't know if you've seen it, the California Privacy Protection Agency is actually putting
(36:49):
out ads to tell consumers what their rights are. There was a television ad I saw. I saw
a print ad that's telling people, hey, hold businesses accountable. You need to know what
information they have. And it's really not something that as a seasoned litigator, I've
seen an agency like telling people, we want you to report things. And by the way, consumers
(37:11):
can report what they believe are violations to the CPPA or to the California Attorney
General. But they're messaging to consumers for all of these rights that we talked about
is that your data should be locked. These are your rights. You have the L, which is the
right to limit the use and disclosure of sensitive personal information. O, the right to opt
out of the sale of your information or the sharing of it for cross-context behavioral
(37:36):
advertising. C, the right to correct your inaccurate personal information. K, the right
to know what personal information businesses have collected about you and how they use
it and how they share it. E, the right to equal treatment. And this is the non-discrimination
thing where they can't discriminate, businesses can't discriminate against you for not providing
(37:58):
your information or for exercising your rights. So if you say, hey, I don't want you to have
my information or I'm going to write in and tell you, hey, I don't, I want to change this.
I want to delete it. They can't treat you differently. And then D is the right to delete.
So they've come up with this catchy acronym that I frankly am just surprised about. So
(38:23):
if a consumer wants to come to your clients and say, hey, is my information locked, they
could come and say that. It's just going to be pretty interesting to see whether consumers
respond in that way. Because the other thing that we've seen is that the amount of data
subject requests has not risen to the level of what we expected to have happen once these
(38:44):
laws came out. There are obviously companies that you can use that will go and opt out
for you. You can use an authorized agent to opt out of having your personal information
in places. And as a privacy lawyer, I sometimes have very dull Friday nights. So I will go
and exercise my CCPA rights as a California resident, and then I'll see what they send
(39:07):
back to me. Some companies, it comes immediately. Some companies take some time. But I'm always
curious to know what their processes are and whether they're actually doing what they
say they're doing. So, hey, if you have a free Friday night and you want to join me,
start sending in your CCPA requests to various companies and see what comes back. It'll be
(39:27):
interesting. I'm sure that there are better things to do with your Friday night. But
privacy lawyers are kind of inherently a little nerdy. And I embrace that. I live that truth.
So, CCPA compliance, like I said, it is challenging. But in general, we want to know what does
it look like? What does it look like outward facing? The requirements for CCPA compliance
(39:51):
are a notice that collection. This is the notice typically in a privacy policy or a
separate notice that says, here's the information we're collecting about you. Here are the business
reasons for which we use it. Here are the parties to whom we transfer it. And so it's
a little bit more in depth than we've seen in prior privacy policies before CCPA came
out. In California, if you are under CCPA, you also need to provide a notice to your
(40:16):
California employees and job applicants and contractors about what information you're
collecting about them. So, we know now that people use a lot of different sources to put
up their job listings, right? Maybe you use Monster Indeed or LinkedIn. You really need
to make sure that you have a link to a notice to employees prior to them sending in information
(40:42):
about how you're going to use their information, how long you're going to keep it. And the
employment lawyers here will also understand that there are different data retention requirements
in California for certain information that you collect about job applicants or employees,
whether it's EEOC stats or whether it's California statistics that you need to retain. Those
(41:04):
may be in conflict with the general retention policy that the company has for all information.
So employee information may be a very important thing to know. If you're an employment lawyer,
you absolutely should have a basic understanding of what the CCPA requires. And then we all
know that privacy policy terms of use, cookie policies, you know, there's some debate as
(41:25):
to whether a cookie policy needs to be separate or not. But in general, you've all now seen
there are so many ways that individuals can control our cookies, you know, except a decline.
What do I do? And I'll tell you my preference on that. I have had enough situations where
when I decline cookies, well, let me back up. In general, my settings are set up to
(41:49):
decline the GPC, the global privacy control is activated on my browsers that I use. And
I typically decline cookies when I have an opportunity to do so. Sometimes that will
affect the functionality of the website. So then sometimes I'll have to go back, turn
on my cookies, use the website, go back out, delete my cookies. It's really a personal
(42:13):
a personal choice of how good you are about your digital hygiene. Right. If you're a person
who leaves all of your browsers, Windows open forever and doesn't turn off your computer
and and has, you know, 500 tabs open on your phone. You know, maybe you're not as vigilant
about your digital hygiene. So maybe accepting cookies for you is is something that is a
(42:38):
value add, but people are transacting in your personal information. So decline cookies when
you can clean out your cookies, clean your cash, do all those things. And just like read
the privacy policies, read what you're getting into. I would recommend that for anybody.
CCPA compliance also requires that they have a mechanism for people to write in and request
(43:02):
all of these different rights. So sometimes you've seen it as a web form. The CCPA required
for a while that you also have a toll free number. And then they modified it saying,
if you transact business exclusively online, you can have an email address, because a lot
of people didn't have toll free numbers. So there were vendors that were we're touting,
(43:23):
hey, you can get a CCPA toll free number with us and, you know, for that purpose, but they
have evolved a little bit. They do not sell my personal information link should be there.
And the agency has proposed this universal opt out icon that you may have seen on some
websites, not everybody's using it, but it's this little blue and white. And again, the
(43:47):
checks and the check. Still, I think some of you using even as a practitioner, does mean
I've opted out or does the check mean I've unclear, but the CCPA has the CCPA has an
icon for the opt out and it's available on their website. You can your clients can download
it and upload it into their site if they want to use that. We have to if you're collecting
(44:12):
and sharing sensitive personal information for cross contextual behavioral advertising,
you can they can limit the sharing of it, you need to have information in your privacy
policy that said you were either collecting it or not. And if you are, you have to allow
them to limit it. Like any consumer requests, we always want to verify it. What does that
mean? There is a proportionality test here now where look, if somebody's just asking
(44:37):
you to delete their, their email address, and what they send to you is the same email
address you have. Do you need to ask them for their driver's license to verify their
identity that they're the right person who's asking for this act up? Probably not. Right.
So verifying identity really depends on what type of information they're trying to access
or delete or what their request is. If they're saying, Hey, delete all of my account information.
(45:07):
You kind of have to understand why they're doing that. So maybe you really do want to
verify that there's the other consumer that they're asking about, or that they have authority
to ask for someone else's information to be deleted. Because you can have authorized agents
making these requests. So if I wanted to make a request for my son, I could write in and
say I'm his mother, I have the request, you know, the ability to do this and they might
(45:30):
say, Well, how do I know that you're his mother? Maybe they wouldn't. But if I say, Hey, I'm
requesting this for my husband. I might do a little bit more research here and say, you
know, is there a document that grants you authority to do this? Because you know, we
the worry is that somebody could nefariously use this to delete information that might
(45:53):
need to be there. So put yourself in those shoes and kind of see if there's any risk.
If you deleted the information, is there a tremendous risk to that person? Or is there
not? And again, there are always exceptions to deletion. If it's an ongoing relationship,
you need the information to fulfill a contract, your client can decline to delete the information.
(46:14):
There's a whole list of exceptions on the CCPA for why they would not need to delete
it. But they do have to respond and tell the request or why they're not deleting it. So
there should be a workflow within your client to determine who is answering these requests
and what is our standard procedure. So again, there's the external facing parts, but there's
(46:39):
the internal parts for the company to understand what their privacy program looks like and
who is in charge of actually fulfilling these requests. Typically under the CCPA, you get
45 days to respond. You actually have to respond to the request within 10 days, but you get
45 days to actually process it. And then if you need more time, you can get another 45
(47:01):
days. But the opt out requests for emails should come within 15 days, just as a matter
of the guidance that we've been provided. The other thing to think about is that the
CCPA actually requires training and education of people who are responsible for handling
these inquiries. So if your client has a customer service line and the customer service representatives
(47:24):
have no idea how to process a CCPA or any privacy request, that's a problem. You've
failed because they need to be trained. And I would recommend at least annually on privacy
issues and sensitivity to information and how to handle requests. And again, it's reasonable
measures for data security and privacy. So your IT team does need to be involved in this.
(47:49):
We need to make sure that they've taken reasonable measures to protect the information. I'm running
out of time, so I'm going to run through a couple of these things pretty quickly. The
impact is going to be different on different industries. Data brokers are now subject to
a data broker registry in California. And it's an annual fee and an annual registration
(48:10):
and the enforcement actions. So the enforcement advisories have really focused on reporting
requirements for data brokers and whether they've registered. So if you have a client
who is a data broker who is actively buying and selling information, you need to make
sure that they know that there are certain requirements under the CCPA. We're finding
(48:32):
that e-commerce and retail companies that operate online, this is where we get a lot
of requests for deletions and things like that. So make sure that their policies are
up to date, that you've done the value out of saying, hey, I'll list your website. And
I saw that your privacy policy hasn't been updated since 2018, which is a recent client
(48:55):
I just got. I'm like, I'm pretty sure that if you haven't updated it since 2018, you're
out of compliance. We are generally recommending that our clients review their privacy policies
at least six months, every six months, because there are so many new privacy laws coming
up around the country. So if you have a client and you're looking at their website and it
(49:18):
maybe it doesn't have a date when they actually enacted it, or maybe it was prior to 2020,
or if it was prior to 2023 when the CPRA changes affected the CCPA, hey, there's a value add.
You can tell your client, hey, I was looking at your privacy policy, and I think it needs
to be updated. Do you want me to take a look at that? And if you don't know what to do,
call me. There is a lot that needs to be changed for these policies. GDPR 2018, CCPA 2020,
(49:46):
changes in 2023. There are new states coming online with new privacy laws. There will actually
be seven more states coming online with new privacy laws in 2025. So if your client is
operating around the country, they need to update their privacy policy. Your client may
be operating in Canada. Canada has a national privacy law, and they have provincial privacy
(50:11):
laws might be important for clients operating worldwide. There are so many, there's like
119 different countries that have their own privacy laws right now. So if you need to
call in a professional, no shame in that. But I think the value add for your client
of saying, hey, this may be something you need to look at is absolutely valuable to
(50:32):
them. So when we talk about the enforcement actions that have happened, there aren't a
ton. There are a ton of letters that have gone out though to individual companies telling
them what is wrong. There are some resources that I've provided you in this deck that you
can go to to see what the enforcement requests have been. Take a look at that. It's really
(50:54):
important. The Sephora action was the biggest one that we had with the state AG in California,
where it was a $1.2 million order. And it was about sharing information ostensibly through
cookies and through tracking. So your clients really need to be aware of what they're doing.
And it's not enough to say, well, I didn't know that we were doing that. The clients
(51:17):
really need to understand how these tracking technologies are working on the website. And
not giving people the opportunity to opt out. That was the door dash case and that was $375,000.
Tilting point media for children's games. Again, because children's privacy is so important,
what they have were software development kits that contain tracking information in them.
(51:37):
And a lot of times with tech, the SD case, the software development kits might be open
source. Maybe their developers didn't even know it was in it. They just put the code
into the game, but it was tracking. And so they got hit with a $500,000 fine on that.
So clients really need to understand what's in their code, what's happening. And I threw
in the Google location privacy practices act or action here. It's not under the CCPA, but I wanted
(52:05):
to explain how these privacy rights dovetail with unfair competition laws and false advertising.
This was a $93 million case. Google it. Google the Google case. But it's really important for
clients that are collecting location privacy issues and for information. It's really important.
With the CPPA, it is only just recently gotten up and running. So their enforcement actions are not
(52:30):
numerous. But what they did recently publicize was their settlement with data brokers. They were a
number of data brokers that failed to register and paid this annual fee. And that was definitely a
priority for them. So what we're seeing is that the CPPA has put out enforcement advisories.
They're giving us a roadmap, what they are planning to enforce. Data minimization is part
(52:53):
of it. I've given you the link here if you want to understand more about data minimization
and avoiding dark patterns. There are only two enforcement advisories that the CPPA has put
out. So read them and understand them and see if they apply to your clients. Other things to think
about are how privacy issues might come up. There are specific requirements in your animal
(53:14):
reporting to the SEC if you've had a data breach. So clients need to understand that the privacy laws
not only would you have to potentially be subject to a CCPA action, but you could be subject to the
various states' data notification and reporting requirements. But also you may have to report it
to the SEC in your 10K or in your other filings. This also comes up a lot and I'm being called to
(53:39):
consult a lot on M&A deals where we're trying to figure out whether the selling company has
acquired valid consent for their customer list to be able to share it with a buyer. So think about
those issues as well. There's an inherent value to information if you've collected it properly.
If you haven't collected it properly, it's going to diminish the value of that information.
(54:05):
Privacy litigation to, as a former litigator, I am seeing really novel uses of existing laws
to address privacy and what information is being tracked. You may have seen or seen demand letters
about pixel tracking, which is, there's a Metapixel Facebook pixel that's operating on your client's
website. And so your client is giving information about the visitors to their website to Meta,
(54:31):
but maybe they haven't disclosed it. Maybe they didn't even know it was happening. So we are seeing
an uptick in that type of litigation, the Video Privacy Protection Act, the VPPA, which was
originated with Justice Bork when Justice Bork was being nominated for the Supreme Court.
Somebody went in and looked at his video viewing history. Now they're applying that to
(54:57):
videos that people might look at on your client's website. Is your client telling YouTube that they
looked at five videos on whatever topic they had on their website? That could be a violation.
These are still novel concepts. They haven't gone all the way through to trial.
But the idea of whether or not somebody actually has standing to raise some of this privacy
(55:17):
litigation or does the CCPA supersede any of these claims, that's all still remains to be seen.
Really quickly, still to come, the CPPA has not yet finalized the CCPA. So they're really looking
at the regulations and what deletion mechanism might allow consumers to request
(55:40):
this one, the one-shot, one-button opt-out. They are asking the CPPA to come up with a mechanism
that would allow people to request in one-shot deletion from all of the data brokers of all of
their information. Obviously, this is going to affect the data broker industry quite a lot,
but I'm really curious to see what that's going to look like. Is it a website that people go to?
(56:05):
Or is it something that gets conveyed to all these data brokers that are registered on the
registry? It remains to be seen. They're still talking about whether the scope of cybersecurity
audits would be available through the CCPA, whether or not what's the depth of a risk assessment that
needs to be incorporated, and then automated decision-making technology. This is where AI
(56:30):
is being used to make decisions. I think AI is obviously a huge topic also related to privacy.
So the enforcement priorities here are going to be the sensitive data, children's privacy,
artificial intelligence, dark patterns. I've outlined for you some other states that are coming
online with privacy laws, and there are comprehensive privacy laws, and then there are other laws that
(56:53):
just affect certain subsets of consumer data. So Washington and Nevada both have a medical privacy
law that requires a separate notice. And we're still waiting on a federal privacy law.
Don't know whether that's going to happen. There were some obstacles, and the California
AG expressly spoke out against the federal privacy law that was proposed. And then if you're advising
(57:19):
global companies, you do need to know what the landscape is for compliance with these other
areas of law. Resources for you for specifically California. IAPP also has a great chart that
talks about all the states that have privacy laws. And then the takeaways here are that privacy is
(57:41):
timely. It's going to continue to adapt. There's not going to be less privacy laws. There are
going to be more. The other states laws are here, so you also need to understand them.
Businesses have to review and update their policies and internal practices at least annually,
but every six months right now. And you have to think of privacy compliance just like you think
of other compliance areas. So are they compliant with this in addition to being compliant for
(58:05):
employment reasons, in addition to be compliant for tax reasons? The technological limitations
are there as well. The law isn't keeping up with the technology. The technology is outpacing,
but we have to kind of understand that this is all very dynamic. We have to be creative about how
we're going to advise our clients on compliance. So again, the takeaway, if anything I can give you
(58:29):
is it's not just about preventing liability for the company. It really is about increasing
transparency, which will lead to customer loyalty and trust. It's proven that having these types
of policies that are easy to read actually helps you gain customers. I'm going to jump into Q&A,
and I have some questions that we still had, and I'm not going to be able to hit all of them. I'll
(58:52):
try. If you have questions, feel free to email me. I'm happy to shout on Zoom if I can help you,
or if it's something that I don't know, I'll let you know. Does this apply to employee private
information and data? Yes, right. So if you fall under the CCPA, then you do need to comply with
(59:12):
the employee notices as if the employee is now a consumer. So you need to tell them what information
you're collecting and how they can delete it. And for employment lawyers, keep aware that you need
to talk to the privacy lawyers, because let's say somebody says, I terminated my employment
and I want to delete all my information, but maybe they're in the middle of a lawsuit with you.
(59:33):
Hey, you got to talk. Both sides have to talk to know. Oh, there's so many. How do I stay abreast
of privacy laws? This is a great question because it is hard. I actually set aside a day,
most of a day, a week just to read because the laws are changing so quickly and so dramatically
(59:55):
that I think you have to stay up on it. There are plenty of law firm blogs that are great resources.
I happen to just know a lot of privacy people now. So LinkedIn, people will tell me, like,
hey, this came out, this came out. And I actually spent a fair amount of time on LinkedIn looking
at my trusted colleagues' evaluations and analysis of things. So if you are lucky enough to have
(01:00:18):
those people in your sphere, feel free to connect with me on LinkedIn. I try to post relevant things.
I know we're at 130. HIPAA, somebody asked about HIPAA. HIPAA is a federal privacy law,
and I think people get confused a lot. But yes, it does dovetail. But there's California,
the CMIA, the California Medical Information Act may actually be more relevant for some of your
(01:00:40):
clients. HIPAA only applies to covered entities, and there's a whole other track of stuff we can go
to there. Oh, gosh, there's so many. How should one approach to drafting a privacy with so many
states to cover? Is there a single lowest common denominator section? The good thing is that
California is really one of the vanguards. It's really one of the leaders. But I can't tell you
(01:01:05):
that if you just make it CCPA compliant, it would be compliant for other states because these other
states are coming in with new requirements. Maryland's coming out this coming year, and it has
some funky stuff in it. And then there are these non-privacy laws. Washington has its My Health,
My Data Act law that covers a lot of consumer data that we might not usually think of as medical data.
(01:01:27):
Colorado has its own quirks where it's requiring the GPC. But it's also, I think some of the states
are really trying to make their name in privacy by making it different from California, by really
challenging people on how to comply. I apologize that I couldn't get to everything, but I hope
you'll take away that privacy is amazing. If you want to make it part of your practice, I encourage
(01:01:49):
you. I'm happy to talk to you about it. But it's challenging. You have to stay up on this. It's not
where you're dealing with, you know, Paul's graph in law school and it being potentially precedent
for what you're doing. Sometimes there are no precedents here. So it's really about studying
and learning and maintaining your creativity on how to advise your client how to comply.
(01:02:12):
I want to thank the Beverly Hills Bar Association for this opportunity. I'm sorry there was so much
to cover. But I hope that you got something out of today and you have some actionable things you
can take back to your clients today and say, hey, maybe this is something that we should talk about.
So I'm Diana Iqtani-Law in El Segundo. And thank you so much for your time today.
(01:02:33):
And you may be eligible for CLE credit in your state. Visit bhba.org slash podcasts for more information.
Good afternoon, everyone, and welcome to nuts and bolts of CCPA and CRCPRA, California
(00:13):
Privacy Law. My name is Belinda McCauley, and I'm the Executive Director of the Beverly
Hills Bar Association, and I am very happy to be here today to introduce our speaker,
Diana Iketani-Iorlano. Diana is the founder and managing attorney of Iketani Law Corporation
in El Cidendo. She is a seasoned privacy lawyer, litigator, and outside general counsel with
(00:34):
more than 25 years of experience advising businesses of all sizes across various industries.
A fellow of information privacy through the IAPP and certified in multiple privacy disciplines,
she is a thought leader in privacy, cybersecurity, and data security compliance. Diana frequently
speaks on these topics, conducts trainings, and mentors aspiring attorneys. Her presentations
(00:56):
for BHBA always get rave reviews, and we so appreciate that she agreed to return to do
this installment of our nuts and bolts series. So with that, Diana, we really look forward
to learning from you today, and I turn the Zoom floor over to you.
Thanks so much, Belinda, and thank you to the Beverly Hills Bar Association for having
(01:16):
me back. It is one of the best places to speak and to gain information. I am an avid
consumer of your MCLEs, and I encourage everybody else to check out the library and see what
else there is in there that you can learn about. But I'm thrilled to be here to introduce
the nuts and bolts of CCPA, the California Consumer Privacy Act, and CPRA, the California
(01:39):
Privacy Right. We did one of these webinars back in 2020 when the CCPA was brand new,
and we're here to update that and tell you what's been happening in the world of privacy.
So, for the first time in a while, we're here to give you some guidelines and teach you
what you need to know to help your own clients, or if you are a client, what questions you
(02:02):
need to ask your lawyers. And then a lot of people have reached out to me to say, hey,
how do I get into privacy? So we're going to touch on that as well and really talk about
what being a privacy lawyer means in the practical application, and then just in sort of what
knowledge base you need to have. So I'm going to jump into the slides here, and we'll keep
(02:26):
going. So just a bit of housekeeping, the CLE certificates, there's some information
in the chat, but also they're going to be sent to you right after you finish this program.
And if there are evaluations, I would also welcome any of your feedback in an evaluation
that you can provide to me. Tell me what content you might like in the future. That'd
be great. So today we're going to talk about CCPA and CPRA. I've really got about 45 minutes
(02:51):
worth of information on this topic, and then I'm going to open it up for a Q&A at the end
so that your burning privacy questions can be answered. But we're going to talk through
the overview of the actual law, what compliance looks like, how does it affect other industries,
different industries. You know, if you have an e-commerce client, it's going to affect
(03:12):
them a lot differently than if you have a legal professional whose website that just
kind of needs to be updated. We're going to talk a little bit about enforcement. There's
very limited published enforcement decisions right now. We'll talk through some of those
and sort of talk about what the future is, what we see as where the areas of enforcement
will be in the future for CCPA, but also privacy enforcement in general. And then I'll just
(03:37):
do a quick summary and then we'll have Q&A. So I'm going to jump into this. This is me.
I'm Diana Iketani-Irolano. I have been practicing since 1997 in Los Angeles in the Graduate
of USC Law School. I hold, as Belinda said, the Fellow of Information Privacy. These certifications
on the left are all from the International Association of Privacy Professionals, IAPP.org.
(04:00):
Many of you have heard of the organization. Maybe you've even attended seminars and events
that they hold that they are sort of the preeminent privacy certification organization. There
are many, many others that pop up all the time. But I hold the CIPP for U.S. that's Certified
(04:21):
Information Privacy Professional for the U.S., for E, and for ESA. And then I also hold the
Certified Information Privacy Program Management Certification. These are not necessary. You
don't have to have these to practice in privacy. But it is helpful. And I'll talk a little
bit about that when we talk about what it means to be a privacy lawyer. So I'll jump
(04:45):
right in. CCPA stands for the California Consumer Privacy Act. It was passed in 2018
and went into effect in 2020. And it was the first comprehensive state privacy law in the
nation. We had just come on the heels of the GDPR in Europe, General Data Protection Regulation,
and then California said, hey, we want to get in on that. So California came out with
(05:09):
a law that was pretty hastily passed. So it got passed and it was the series of a very
quick set of negotiations. And so there were some flaws with the initial law. And then
they tried to iron some of those out with the California Privacy Rights Act, which amended
the CCPA. So when we started out with the CCPA, there were certain definitions that
(05:36):
were there. What businesses fall under the CCPA? And there were thresholds of 25 million
or more in annual revenue. It was unclear in the first incantation of the law, whether
that was worldwide revenues, just California revenues, or what it was. It applied to 500,
(05:56):
if you had the data of 500,000 or more, I'm sorry, actually, that's the type of it's 50,000
or more data subjects. And whether you had 50% or more of your revenue being derived from
selling or sharing information. The consumers that were affected were California residents,
(06:20):
people who were here for anything other than just a transitory purpose. And the definition
of personal information wasn't exactly aligned with personally identifiable information that
had been defined in the GDPR. So personal information here included names, addresses,
email addresses, but it also included IP addresses, any sort of identifier that went with the
(06:44):
device. And so it was a much more encompassing definition of personal information. It also
had a definition of sale of information, which was giving information to a business or a
third party for monetary or other valuable consideration was kind of vague on what that
meant. And who were third parties service providers were defined, there are people that
(07:06):
you had to have a written contract with that were providing a service to you. And that
you could share information with because you had a written contract and the written contract
had to contain certain things. The third parties were people that you didn't have a
contract with. And so it encompassed a lot of people that we may share information with
that aren't providing a given service to us as a business. The early version of the CCPA,
(07:32):
the 2020 version, excluded employee data because employees and business to business data, they
weren't consumers. So that exclusion, though, would eventually disappear and sunset out.
But it gave important privacy rights to consumers in California, the right to know what information
(07:52):
was being collected about them, the right to access that data, the right to delete that
data, the right to opt out of the sale, the right to non-discrimination. And it introduced
this concept of a global privacy control, which we'll talk about a little bit later
as well. But the idea that there should be a setting that people can set to tell businesses
(08:15):
that they visit on the internet that they don't want to have their information sold.
The technology was not quite where the law was. And we'll talk about that. That's an
ongoing problem with privacy is that typically the technology is going to outpace the law.
Here the law sort of outpaced the technology where one of the creators of the CCPA, I heard
(08:40):
him speak recently and he said, I just think that there should be one button you can push.
And this theme is going to be ongoing. One button that you can push to opt out of things,
to make it a seamless consumer experience on the web. And we just don't have that as
of yet. But maybe it's coming. The CCPA also required reasonable data security. The minimum
(09:02):
you had to have was a written information security program and an incident response
plan. So those were sort of the minimums, but reasonable, like we all know if you're
an attorney, you know, from law school, the reasonable person standard, we try to define
that. But maybe there's a little wiggle room there. So the big issue that CCPA introduced
(09:26):
was the private right of action. But the private right of action for an individual to sue under
the CCPA only was limited to if a company had had a data breach, then an individual could
sue for a violation of the CCPA. But you can bet that when they were going to sue for a
violation of the CCPA due to a data breach, they might say, and by the way, you didn't
(09:49):
comply with the CCPA in all of these other ways. I'm a former litigator, I litigated
for 20 years before opening my own firm. I was at a big firm in West Los Angeles. And
you know, as we all know as litigators, what happens is that a predicate violation of an
underlying statute can be a violation of an unfair business practice. And so we were all
(10:13):
very worried that a huge rush of unfair business practice, unfair competition types of claims
would arise from strict violations of the CCPA. That didn't end up happening. It's definitely
a component of the privacy litigation. And we'll talk about that. But I think that that's
the risk is still there. So having clients comply with the CCPA as amended by the CPRA
(10:38):
is a really important business step, because if they do suffer a breach, there's kind of
an open door for consumers to come in and sue on these technical violations. And as
we know, there are a lot of agencies, state agencies, federal agencies that want to enforce
individual privacy rights and sort of what they expect of businesses that conduct business
(11:02):
on the internet. So moving to the CPRA, the California Privacy Rights Act, it's not a separate
law. So I just want to make that clear. The CPRA amends the CCPA. So some people will
colloquially call it CCPA 2.0. But really, when you refer to it, it's the CCPA as amended
(11:22):
by the CPRA. So you can keep using CCPA. You don't have to do CCPA, CPRA, even though
that was in the title of our program. We wanted to hook you in with that. But it's the CCPA
as amended. And how it has been amended is that it's still the thresholds are still the
25 million in gross revenue in the preceding calendar year. So that was more helpful to
(11:46):
define what the gross annual revenues were. And it's for businesses that buy, sell, share
personal information of 100,000 or more California residents. So they actually raised the threshold
from 50,000 to 100,000. Or businesses like data brokers that may derive 50% or more of
their annual revenue from selling or sharing consumer personal information. Like I alluded
(12:10):
to, the employee and business to business exceptions ended on January 1, 2023. So that's
new, right? The CCPA applies to employee data. And it applies to even email addresses that
you're connecting and a business to collecting and a business to business context. So it's
much more encompassing. It's much more like GDPR in that way, where it really is just
(12:35):
sort of looked at as a right that everybody, all California residents have. The CPRA also
introduced some new privacy rights, the right to opt out of the sharing of personal information
and to limit certain uses of sensitive personal information. The categories of sensitive personal
information are going to include things like your social security number, some financial
(12:57):
information, it's going to include health information, biometric information, and precise geolocation
information. So if you have clients that have apps that are tracking people, they may be
collecting sensitive personal information. And if they're sharing that with other businesses,
then the CCPA as amended is directly relevant to what they do. And you have to know that
(13:20):
when you're working with a client that may have those types of data collection. The right
to correct inaccurate personal information, we all want that. It should be a fundamental
right, but it just hadn't been articulated before. And then the right to enhance privacy
about what a business does with the information they collect. So how long did they keep it?
(13:41):
The data retention period is very important. And who are they giving it to? And why are
they giving it to that other business? What's the business purpose for sharing information?
It also created miners rights. So typically on the internet, we view people who are over
16 as being able to interact, to contract, to agree to things. Query whether the age
(14:05):
of majority in a specific state may be higher, might be 18, might be 19, might be lower.
But on the internet, for most purposes, we say that kids over 16 can agree to things.
Kids under 16, but over 13 may need to, you may treat them differently. The CPRA said
that they actually have to give affirmative opt-in consent if they're between 13 and 16.
(14:31):
And then for children under 13, 12 and under, we have to obtain parental consent if we want
to send communications to them, if we want to market to them. Typically, there's going
to be no marketing allowed to children who are under 13. But if a child who's 13 to 16
expressly opt-in and says, yes, I want to get that information about my kids into Roblox,
(14:52):
I want to get that information about Roblox, you have to create a mechanism for that. So
if you are a company that is a child facing establishment, a child facing property, you
need to know about the changes to these laws. And another big thing, excuse me, that the
CPRA did was it created a separate agency, the California Privacy and Protection Agency,
(15:14):
that was imbued with the ability to enforce the law too. Now the CCPA is up and running,
it's a functioning organization, they're still having rulemaking and regulation discussions.
And you can get on their mailing list if you want to get more information about the actions
that the CCPA takes. I encourage you to go to their website, it's going to be listed
(15:39):
in the resources that we provide with this, with the materials. But you can get bulletins
and updates on what the CPPA is doing. So that's important. Again, we talked a little
bit about sensitive personal information and what that means. Here's a little bit more
detail about what's included under sensitive personal information. So what I'm hoping to
(16:04):
do with today's webinar is really talk to you about ways that you can also value add
with your existing clients, even if you are not a privacy lawyer, maybe you're a corporate
lawyer, maybe you're a litigator, maybe you're just dealing with a lot of startups and entrepreneurs
who have not so much guidance as to what they need to put into their privacy policies
and what they need to do, or maybe you're helping somebody develop a new product. Having
(16:29):
a background in privacy is really important for that, to understand data collection and
data retention and data minimization, which is the concept that we want to encourage our
clients to collect as little personal information as they need to provide the services that they
provide. Data minimization is a really important concept globally, and it needs to be proportionate.
(16:56):
The way that we handle the data needs to be proportionate to the sensitivity of that data.
So we'll talk a little bit about that as we go on through this. But the CPRA, again,
clarified these obligations on a business, that they had to provide a written notice,
that they had to have retention periods for these things. And if any of you have worked
(17:17):
with corporate clients, they sometimes say, hey, we keep information forever because we
can. Now the CCPA, as amended, says, no, you can't do that anymore. And the data breach
statutes for various states, all 50 states have different data breach statutes, they
say, if you have unencrypted and unredacted information, that's a data breach. So it really
(17:43):
forces us to talk to the clients about what data they're collecting, how long they're
keeping it, and how is it stored? Is it encrypted, or is it just out there? Or is it still in
boxes in a storage room somewhere that no one has gone into for five years? That's part
of the conversation you can have about what kind of information is stale, what kind of
(18:06):
information needs to be destroyed, and can we create a policy, even a prospective policy
of, hey, we're only going to keep this information for X number of years. It's an important conversation
to have with your clients. Deletion requests, do we actually have the ability to delete
someone's information? Is it all stored in the cloud? Is it stored on our servers? Is
(18:31):
it stored in multiple different places where maybe we don't actually know where it goes?
Or are there employees in your company that downloaded a client list and it's residing
on their hard drive that's not connected to the internet or not connected to your server?
It really requires us to look at data hygiene and how clean we're keeping our data. We've
(18:54):
heard things about clients who have clean desk policies where the physical information,
you're not supposed to leave physical information out there for anybody to find. But let's say
you have a client who's using Google Drive to store all of their information and they
didn't know that there were security settings there that could lock the information. And
(19:14):
so an employee sent a link to the information to themselves at their home address and then
forwarded it to somebody else. We find these out sometimes in corporate espionage cases
or an unfortunate departure of somebody from the company. You find out that they've sent
information. But the company should know what data they're collecting and where it's stored
(19:41):
and whether they have adequate security measures to protect that information. When you have
Google Drive, there's a way that people can just send a link. If you don't have the document
lock, they can just send a link to the document to anybody. And if that document contains
sensitive personal information of customers or employees, that could potentially be considered
(20:02):
a data breach. So there's things to think about there. The CPRA also imposes obligations
for contract. So all of you transactional lawyers will love that you do need to add
these terms to your basic MSAs or other agreements or the terms of service or the whatever terms
(20:23):
your customers are agreeing to that talk about the relationship of who the company uses as
a service provider or how they protect information that's provided to contractors or anybody else.
We have to have adequate provisions that prevent those people from using the information for
any other purpose than what we hired them to do. So that language actually is required
(20:48):
to be in the contract. When we look at things like loyalty programs where we may be providing,
the client may be providing a financial incentive, sign up for our newsletter and we'll send
you a 15% off coupon. That happens all the time. We actually have to look at the value
of the financial incentive and the value of the information that they're giving us. And
(21:10):
sometimes we're not able to discriminate against people who give us their information and people
who don't. So the clients may need to think about whether that offers to everybody who
comes onto their website or is it really just tied to people who give their information.
But it's an assessment that we have to do. We talked about the opt-in for minors who
are under 16. It has to be an affirmative opt-in. And traditionally, the United States
(21:37):
has been an opt-out regime where you sign up for something and you put in your email
address and they can send you an email and then you have to affirmatively go and opt
out or unsubscribe. But here it's different. So if you have knowledge that your audience
contains members that are under 16, now you have to figure out a way to find out what
(21:57):
age they are appropriately without collecting too much personal information. And so age
gating, finding a way to restrict access to certain ages, may be part of your business
plan at that point if you have a child-facing property. We also need to make sure that that
consent is freely given. It's informed. So we're going to have to tell them, look, if
(22:21):
you give us your information, here's how we're going to use it. And I think that we, as lawyers,
sometimes we are bogged down by, we need to put all of these things into this policy.
I like to joke that I write things that people never read because I write privacy policies
in terms of use and cookie notices and things that you scroll through and you click. But
(22:45):
I would encourage you, if you're interested in privacy, read what's in there. You will
find out amazing things about what a company can do with your information. Now, you may
not be able to do much with what Apple's new terms of service or the latest iOS update
are going to be, but I think that it will open your eyes as to what you want to be doing
(23:07):
and what consents you want to be giving out or whether you need to take a second look
at a company's privacy policy to learn what they're going to do with your information.
We have to do risk assessments now under the CPRA. Again, we're talking about the proportion
of quality of whether the protection of the information is related to the sensitivity
(23:30):
of the information. I think there's a lot more to privacy than just writing privacy
policies. I'm sure that many of you get asked, hey, can you just write me a privacy policy
or can you just look at what I pulled off the internet and tell me if it's okay? I want
to throw up huge red flags and tell you there's so much more to it than just the privacy policy
(23:56):
and what is the consumer facing part of privacy. Internally, the client actually has to be
doing what they say they're doing in their privacy policy because otherwise it can be
a violation and CPRA, CCPA violations can get quite expensive. As a practitioner, I
(24:19):
want to tell you that privacy is obviously timely. I'm hoping that you walk away today
with some information about ways that you can protect your own privacy, your own data
privacy. Obviously, it's the subject of much news all the time, what's happening in privacy,
what new states are coming out with privacy laws. But it is also creative where you are
(24:41):
crafting solutions to actual problems and maybe acting as more of a business partner
to your client to find out what is the reason why they're collecting this information? Are
they just collecting it because they've always collected it or is there a reason why they
need to keep collecting it and who do they give it to? We have to be creative about looking
(25:02):
at the business reason, not just the legal reason, but also the business reason. But
I'm also here to tell you that privacy is challenging and we'll go into this. This is
one state's law that we are going through and it happens to be one of the most stringent
in the nation, but other states are coming on hot. They're coming in hot with new requirements
(25:26):
and so as a privacy practitioner, you have to look at what's going on internationally,
what's going on in other US states, what is the exposure that your client may have as
a former litigator. I love looking at the risk management parts of it to say, is what
my client has done, is it going to be defensible? Litigators, this applies to you, transactional
(25:52):
lawyers, this applies to you, compliance lawyers, government lawyers, this applies to you. When
we're looking at what businesses do with their privacy policies, with their internal privacy
practices. Okay. Some of the newer things introduced by the CPRA, but not quite fleshed
out yet, are the disclosure of automated decision making technology and then the general idea
(26:20):
that dark patterns are not valid consent. If you have a consent bar that says, I like this
because I've always thought this was a horrible thing to do. You go into a website and they
say, do you want this coupon for 15% off? It says, you know, claim my coupon. The other
button says, no, I don't want to save money. I hate that. It's so offensive to me, but
(26:45):
that's a dark pattern. When you're actually shaming somebody for opting out, right now,
what we need to do is make sure that they're equivalent. So if it's accept, decline, that's
going to be a much better thing than when you're sort of coercing somebody to accept
because you've told them they're an idiot if they don't accept, they decline. So dark
(27:07):
patterns are things where you may be persuading somebody to consent to something because maybe
you're hiding the decline button or the no thanks button is really, really tiny and you
just don't even know where it is and all they want to do is X out of that window, but there's
no X and all that they see is accept. The enforcement agencies are going to look and
(27:29):
say, that's not valid consent. You didn't give them an equivalent option. So we're still
seeing more clarification on what dark patterns may be and other agencies are looking at this
and saying, yeah, you can't do that. Let's just be transparent to people and say, accept
decline. You've probably also come across it when you go to a cookie consent banner that
(27:53):
pops up. And the only option is accept all. And you're like, well, I'm pretty sure I have
the right to decline these, but I don't know how to do it. Or conversely, you get to the
banner that pops up and it says, you know, it's a slider button. And you don't know if
the slider button is it on or is it off? And if it's on, am I accepting the cookies? Or
(28:17):
am I declining the cookies? We as privacy practitioners have to advise the clients on
how to make that really clear and transparent to the users of their website, to their customers.
So there's a lot of things about, you know, website UX user experience issues that that
privacy practitioners have to learn about and have to use to advise our clients adequately
(28:39):
on whether or not it complies with the law. So with the C P R A to, you know, there is,
like I said, the C P P A, the California Privacy and Protection Agency, which is a separate
state agency now charged with enforcing the C C P A as amended. In addition, though, the
California AG's office, the California Attorney General still retains jurisdiction to file
(29:04):
enforcement actions for violations of the C C P A, or, you know, it could be an enforcement
action that also talks about this unfair business practice, this this dark pattern. So you have
two agencies here and then federally, we have the FTC, the Federal Trade Commission wants
in on the action, obviously, these are huge issues of importance. And this is a non partisan
(29:28):
issue to if I might throw in a smidge of politics. These are issues, privacy issues are non
partisan. They are issues that everybody wants. And I'll tell you that children's privacy,
especially is a focus of a lot of these laws and a lot of the legislation that's happening
around the country. Help privacy is also very, very much on the radar. So California also
(29:54):
has, you know, the California Medical Information Act, California has, you know, 50 some odd
privacy laws, in addition to the C C P A. So as a privacy lawyer, you also have to know
what the landscape is of privacy in the state. But these are non partisan issues. So if
someone's going to say, Hey, we have to protect children's privacy, there's a lot of people
(30:16):
who can get behind that. So if your client is again, focused on child facing properties,
they need to understand Kappa, the California or the Children's Online Privacy and Protection
Act, which is a federal law, they need to understand these California laws, they need
to understand laws throughout the world if they're marketing their services to other
(30:38):
countries as well. But I think, you know, some of the major issues with the C C P P A,
and the changes introduced by the C P R A in 2023 are that they're no longer required
to give you notice a safe harbor period. Initially with the C C P A, you would get a letter,
(30:59):
you'd have 30, that's gone. So if your client does receive a letter from one of the state
agencies that says, Hey, we're investigating you, you must be prepared to respond. I think
that that's really important. I'm sorry, I'm just looking at a couple of questions and
I want to encourage you to ask questions. I'm going to go ahead and look at a couple
(31:24):
of answer a couple questions. So one is, does the C C P A C P R A C A A D A and the Kappa
applied to nonprofits, you have to look at the specific statute. So C C P A doesn't apply
to nonprofits, but it might apply to some nonprofit activities. If you are sharing information
(31:45):
that doesn't have anything to do with the operation of your nonprofit, could it apply?
I think you want to do that analysis with your client to say, Hey, are there any other
parts of the business where you are potentially profiting off of the selling or sharing of
information of your, whether it's your donors or your volunteers or things like that. So
(32:06):
I think it can be tricky. Kappa is going to apply to anybody who's directed at minors.
So definitely take a look at that. If you were a nonprofit addressing minors, I would
think you would still want to comply with Kappa, even if it strictly didn't apply to
you. Because like I said, if you're collecting and buying and sharing the information of minors,
(32:33):
that's not a great look. So, you know, are there people who are not going to use your
organization because you haven't had a statement that you comply with these various laws?
Possibly. I will talk at the end about the whole goal of this is to actually provide
a better user, consumer, customer experience where they know that they can trust you because
(32:59):
you've been transparent about how you use information. And this applies to all businesses.
Whether or not you're required to comply with CCPA, you still need to, people still expect
you to have a privacy policy. You still actually have to have one under other California state
laws. But they want to know what you do with their information. And they're kind of expecting
(33:20):
these things to be in a privacy policy now. So the idea of building customer loyalty by
being transparent, that applies to everybody. Small businesses are exempt if there's less
than 25 million in gross revenue. That's correct. The CCPA does not apply. But make sure you
look at those other elements. You know, are you deriving a lot of your business from buying
(33:45):
and selling information? You know, data brokers would still fall under CCPA even if they weren't
25 million dollar companies because they are buying and selling information. So think about
all three. If you're the three elements, the thresholds for CCPA application, if your
client hits any one of those, if your client has 100,000 visitors on their website, maybe
(34:11):
they don't have 100,000 customers, but they have, you know, 300,000 hits or, you know,
10,000 hits a month from California residents, they may well fall under CCPA. So like I said,
privacy is challenging. There's a lot to consider here. And like I said, too, the, the, what
(34:32):
we're seeing is this focus on children's privacy. The CPRA amended the CCPA so that there's
trouble damages for minors who are under the age of 16. So for clients who are in those
areas, I think they really have to do a data privacy impact assessment, the DPIA. Really
look at what information are we collecting, what's our business reason for collecting
(34:55):
it, and have we made that transparent. Or maybe when we assess that information, I'll
give you an example. I've had a client that likes to collect birthday information because
they want to send people, you know, just a nice note on their birth month. And that's
lovely. But we had to answer the question of they were asking for a birthday month and
(35:18):
year. I don't know that they need the year, right? Maybe they need the month only. What's
your birth month? That's a lot less personal information than asking somebody who may are
already have registered with you their name, their email address for their birthday month
and year. I don't think most companies need that information. That being said, maybe if
(35:41):
you're a company that directed it minors and you're age gating, you're trying to figure
out whether they meet the threshold, you might need that information for a year. But talking
to the individual client and say, do you need to have that? Or if it's really just like,
hey, we send you a happy birthday email, maybe you just need the day in the month, maybe
you just need the month and you send them all out on the first of the month. Maybe that's
(36:04):
possible. So thinking about the data minimization is kind of a constant struggle, right? We
constantly have to look because it may be that your client hasn't thought of the ways
they could limit their potential liability. I'm going to run back into the slides. I will
(36:28):
come back to some of the questions that I see in the chat. And then again, we'll have
Q&A at the end. So feel free if you would rather save your questions till later. You
can drop them in there. We'll try to answer them. And then we'll definitely have the Q&A
at the end. What I find really fascinating is that even during this holiday season, I
don't know if you've seen it, the California Privacy Protection Agency is actually putting
(36:49):
out ads to tell consumers what their rights are. There was a television ad I saw. I saw
a print ad that's telling people, hey, hold businesses accountable. You need to know what
information they have. And it's really not something that as a seasoned litigator, I've
seen an agency like telling people, we want you to report things. And by the way, consumers
(37:11):
can report what they believe are violations to the CPPA or to the California Attorney
General. But they're messaging to consumers for all of these rights that we talked about
is that your data should be locked. These are your rights. You have the L, which is the
right to limit the use and disclosure of sensitive personal information. O, the right to opt
out of the sale of your information or the sharing of it for cross-context behavioral
(37:36):
advertising. C, the right to correct your inaccurate personal information. K, the right
to know what personal information businesses have collected about you and how they use
it and how they share it. E, the right to equal treatment. And this is the non-discrimination
thing where they can't discriminate, businesses can't discriminate against you for not providing
(37:58):
your information or for exercising your rights. So if you say, hey, I don't want you to have
my information or I'm going to write in and tell you, hey, I don't, I want to change this.
I want to delete it. They can't treat you differently. And then D is the right to delete.
So they've come up with this catchy acronym that I frankly am just surprised about. So
(38:23):
if a consumer wants to come to your clients and say, hey, is my information locked, they
could come and say that. It's just going to be pretty interesting to see whether consumers
respond in that way. Because the other thing that we've seen is that the amount of data
subject requests has not risen to the level of what we expected to have happen once these
(38:44):
laws came out. There are obviously companies that you can use that will go and opt out
for you. You can use an authorized agent to opt out of having your personal information
in places. And as a privacy lawyer, I sometimes have very dull Friday nights. So I will go
and exercise my CCPA rights as a California resident, and then I'll see what they send
(39:07):
back to me. Some companies, it comes immediately. Some companies take some time. But I'm always
curious to know what their processes are and whether they're actually doing what they
say they're doing. So, hey, if you have a free Friday night and you want to join me,
start sending in your CCPA requests to various companies and see what comes back. It'll be
(39:27):
interesting. I'm sure that there are better things to do with your Friday night. But
privacy lawyers are kind of inherently a little nerdy. And I embrace that. I live that truth.
So, CCPA compliance, like I said, it is challenging. But in general, we want to know what does
it look like? What does it look like outward facing? The requirements for CCPA compliance
(39:51):
are a notice that collection. This is the notice typically in a privacy policy or a
separate notice that says, here's the information we're collecting about you. Here are the business
reasons for which we use it. Here are the parties to whom we transfer it. And so it's
a little bit more in depth than we've seen in prior privacy policies before CCPA came
out. In California, if you are under CCPA, you also need to provide a notice to your
(40:16):
California employees and job applicants and contractors about what information you're
collecting about them. So, we know now that people use a lot of different sources to put
up their job listings, right? Maybe you use Monster Indeed or LinkedIn. You really need
to make sure that you have a link to a notice to employees prior to them sending in information
(40:42):
about how you're going to use their information, how long you're going to keep it. And the
employment lawyers here will also understand that there are different data retention requirements
in California for certain information that you collect about job applicants or employees,
whether it's EEOC stats or whether it's California statistics that you need to retain. Those
(41:04):
may be in conflict with the general retention policy that the company has for all information.
So employee information may be a very important thing to know. If you're an employment lawyer,
you absolutely should have a basic understanding of what the CCPA requires. And then we all
know that privacy policy terms of use, cookie policies, you know, there's some debate as
(41:25):
to whether a cookie policy needs to be separate or not. But in general, you've all now seen
there are so many ways that individuals can control our cookies, you know, except a decline.
What do I do? And I'll tell you my preference on that. I have had enough situations where
when I decline cookies, well, let me back up. In general, my settings are set up to
(41:49):
decline the GPC, the global privacy control is activated on my browsers that I use. And
I typically decline cookies when I have an opportunity to do so. Sometimes that will
affect the functionality of the website. So then sometimes I'll have to go back, turn
on my cookies, use the website, go back out, delete my cookies. It's really a personal
(42:13):
a personal choice of how good you are about your digital hygiene. Right. If you're a person
who leaves all of your browsers, Windows open forever and doesn't turn off your computer
and and has, you know, 500 tabs open on your phone. You know, maybe you're not as vigilant
about your digital hygiene. So maybe accepting cookies for you is is something that is a
(42:38):
value add, but people are transacting in your personal information. So decline cookies when
you can clean out your cookies, clean your cash, do all those things. And just like read
the privacy policies, read what you're getting into. I would recommend that for anybody.
CCPA compliance also requires that they have a mechanism for people to write in and request
(43:02):
all of these different rights. So sometimes you've seen it as a web form. The CCPA required
for a while that you also have a toll free number. And then they modified it saying,
if you transact business exclusively online, you can have an email address, because a lot
of people didn't have toll free numbers. So there were vendors that were we're touting,
(43:23):
hey, you can get a CCPA toll free number with us and, you know, for that purpose, but they
have evolved a little bit. They do not sell my personal information link should be there.
And the agency has proposed this universal opt out icon that you may have seen on some
websites, not everybody's using it, but it's this little blue and white. And again, the
(43:47):
checks and the check. Still, I think some of you using even as a practitioner, does mean
I've opted out or does the check mean I've unclear, but the CCPA has the CCPA has an
icon for the opt out and it's available on their website. You can your clients can download
it and upload it into their site if they want to use that. We have to if you're collecting
(44:12):
and sharing sensitive personal information for cross contextual behavioral advertising,
you can they can limit the sharing of it, you need to have information in your privacy
policy that said you were either collecting it or not. And if you are, you have to allow
them to limit it. Like any consumer requests, we always want to verify it. What does that
mean? There is a proportionality test here now where look, if somebody's just asking
(44:37):
you to delete their, their email address, and what they send to you is the same email
address you have. Do you need to ask them for their driver's license to verify their
identity that they're the right person who's asking for this act up? Probably not. Right.
So verifying identity really depends on what type of information they're trying to access
or delete or what their request is. If they're saying, Hey, delete all of my account information.
(45:07):
You kind of have to understand why they're doing that. So maybe you really do want to
verify that there's the other consumer that they're asking about, or that they have authority
to ask for someone else's information to be deleted. Because you can have authorized agents
making these requests. So if I wanted to make a request for my son, I could write in and
say I'm his mother, I have the request, you know, the ability to do this and they might
(45:30):
say, Well, how do I know that you're his mother? Maybe they wouldn't. But if I say, Hey, I'm
requesting this for my husband. I might do a little bit more research here and say, you
know, is there a document that grants you authority to do this? Because you know, we
the worry is that somebody could nefariously use this to delete information that might
(45:53):
need to be there. So put yourself in those shoes and kind of see if there's any risk.
If you deleted the information, is there a tremendous risk to that person? Or is there
not? And again, there are always exceptions to deletion. If it's an ongoing relationship,
you need the information to fulfill a contract, your client can decline to delete the information.
(46:14):
There's a whole list of exceptions on the CCPA for why they would not need to delete
it. But they do have to respond and tell the request or why they're not deleting it. So
there should be a workflow within your client to determine who is answering these requests
and what is our standard procedure. So again, there's the external facing parts, but there's
(46:39):
the internal parts for the company to understand what their privacy program looks like and
who is in charge of actually fulfilling these requests. Typically under the CCPA, you get
45 days to respond. You actually have to respond to the request within 10 days, but you get
45 days to actually process it. And then if you need more time, you can get another 45
(47:01):
days. But the opt out requests for emails should come within 15 days, just as a matter
of the guidance that we've been provided. The other thing to think about is that the
CCPA actually requires training and education of people who are responsible for handling
these inquiries. So if your client has a customer service line and the customer service representatives
(47:24):
have no idea how to process a CCPA or any privacy request, that's a problem. You've
failed because they need to be trained. And I would recommend at least annually on privacy
issues and sensitivity to information and how to handle requests. And again, it's reasonable
measures for data security and privacy. So your IT team does need to be involved in this.
(47:49):
We need to make sure that they've taken reasonable measures to protect the information. I'm running
out of time, so I'm going to run through a couple of these things pretty quickly. The
impact is going to be different on different industries. Data brokers are now subject to
a data broker registry in California. And it's an annual fee and an annual registration
(48:10):
and the enforcement actions. So the enforcement advisories have really focused on reporting
requirements for data brokers and whether they've registered. So if you have a client
who is a data broker who is actively buying and selling information, you need to make
sure that they know that there are certain requirements under the CCPA. We're finding
(48:32):
that e-commerce and retail companies that operate online, this is where we get a lot
of requests for deletions and things like that. So make sure that their policies are
up to date, that you've done the value out of saying, hey, I'll list your website. And
I saw that your privacy policy hasn't been updated since 2018, which is a recent client
(48:55):
I just got. I'm like, I'm pretty sure that if you haven't updated it since 2018, you're
out of compliance. We are generally recommending that our clients review their privacy policies
at least six months, every six months, because there are so many new privacy laws coming
up around the country. So if you have a client and you're looking at their website and it
(49:18):
maybe it doesn't have a date when they actually enacted it, or maybe it was prior to 2020,
or if it was prior to 2023 when the CPRA changes affected the CCPA, hey, there's a value add.
You can tell your client, hey, I was looking at your privacy policy, and I think it needs
to be updated. Do you want me to take a look at that? And if you don't know what to do,
call me. There is a lot that needs to be changed for these policies. GDPR 2018, CCPA 2020,
(49:46):
changes in 2023. There are new states coming online with new privacy laws. There will actually
be seven more states coming online with new privacy laws in 2025. So if your client is
operating around the country, they need to update their privacy policy. Your client may
be operating in Canada. Canada has a national privacy law, and they have provincial privacy
(50:11):
laws might be important for clients operating worldwide. There are so many, there's like
119 different countries that have their own privacy laws right now. So if you need to
call in a professional, no shame in that. But I think the value add for your client
of saying, hey, this may be something you need to look at is absolutely valuable to
(50:32):
them. So when we talk about the enforcement actions that have happened, there aren't a
ton. There are a ton of letters that have gone out though to individual companies telling
them what is wrong. There are some resources that I've provided you in this deck that you
can go to to see what the enforcement requests have been. Take a look at that. It's really
(50:54):
important. The Sephora action was the biggest one that we had with the state AG in California,
where it was a $1.2 million order. And it was about sharing information ostensibly through
cookies and through tracking. So your clients really need to be aware of what they're doing.
And it's not enough to say, well, I didn't know that we were doing that. The clients
(51:17):
really need to understand how these tracking technologies are working on the website. And
not giving people the opportunity to opt out. That was the door dash case and that was $375,000.
Tilting point media for children's games. Again, because children's privacy is so important,
what they have were software development kits that contain tracking information in them.
(51:37):
And a lot of times with tech, the SD case, the software development kits might be open
source. Maybe their developers didn't even know it was in it. They just put the code
into the game, but it was tracking. And so they got hit with a $500,000 fine on that.
So clients really need to understand what's in their code, what's happening. And I threw
in the Google location privacy practices act or action here. It's not under the CCPA, but I wanted
(52:05):
to explain how these privacy rights dovetail with unfair competition laws and false advertising.
This was a $93 million case. Google it. Google the Google case. But it's really important for
clients that are collecting location privacy issues and for information. It's really important.
With the CPPA, it is only just recently gotten up and running. So their enforcement actions are not
(52:30):
numerous. But what they did recently publicize was their settlement with data brokers. They were a
number of data brokers that failed to register and paid this annual fee. And that was definitely a
priority for them. So what we're seeing is that the CPPA has put out enforcement advisories.
They're giving us a roadmap, what they are planning to enforce. Data minimization is part
(52:53):
of it. I've given you the link here if you want to understand more about data minimization
and avoiding dark patterns. There are only two enforcement advisories that the CPPA has put
out. So read them and understand them and see if they apply to your clients. Other things to think
about are how privacy issues might come up. There are specific requirements in your animal
(53:14):
reporting to the SEC if you've had a data breach. So clients need to understand that the privacy laws
not only would you have to potentially be subject to a CCPA action, but you could be subject to the
various states' data notification and reporting requirements. But also you may have to report it
to the SEC in your 10K or in your other filings. This also comes up a lot and I'm being called to
(53:39):
consult a lot on M&A deals where we're trying to figure out whether the selling company has
acquired valid consent for their customer list to be able to share it with a buyer. So think about
those issues as well. There's an inherent value to information if you've collected it properly.
If you haven't collected it properly, it's going to diminish the value of that information.
(54:05):
Privacy litigation to, as a former litigator, I am seeing really novel uses of existing laws
to address privacy and what information is being tracked. You may have seen or seen demand letters
about pixel tracking, which is, there's a Metapixel Facebook pixel that's operating on your client's
website. And so your client is giving information about the visitors to their website to Meta,
(54:31):
but maybe they haven't disclosed it. Maybe they didn't even know it was happening. So we are seeing
an uptick in that type of litigation, the Video Privacy Protection Act, the VPPA, which was
originated with Justice Bork when Justice Bork was being nominated for the Supreme Court.
Somebody went in and looked at his video viewing history. Now they're applying that to
(54:57):
videos that people might look at on your client's website. Is your client telling YouTube that they
looked at five videos on whatever topic they had on their website? That could be a violation.
These are still novel concepts. They haven't gone all the way through to trial.
But the idea of whether or not somebody actually has standing to raise some of this privacy
(55:17):
litigation or does the CCPA supersede any of these claims, that's all still remains to be seen.
Really quickly, still to come, the CPPA has not yet finalized the CCPA. So they're really looking
at the regulations and what deletion mechanism might allow consumers to request
(55:40):
this one, the one-shot, one-button opt-out. They are asking the CPPA to come up with a mechanism
that would allow people to request in one-shot deletion from all of the data brokers of all of
their information. Obviously, this is going to affect the data broker industry quite a lot,
but I'm really curious to see what that's going to look like. Is it a website that people go to?
(56:05):
Or is it something that gets conveyed to all these data brokers that are registered on the
registry? It remains to be seen. They're still talking about whether the scope of cybersecurity
audits would be available through the CCPA, whether or not what's the depth of a risk assessment that
needs to be incorporated, and then automated decision-making technology. This is where AI
(56:30):
is being used to make decisions. I think AI is obviously a huge topic also related to privacy.
So the enforcement priorities here are going to be the sensitive data, children's privacy,
artificial intelligence, dark patterns. I've outlined for you some other states that are coming
online with privacy laws, and there are comprehensive privacy laws, and then there are other laws that
(56:53):
just affect certain subsets of consumer data. So Washington and Nevada both have a medical privacy
law that requires a separate notice. And we're still waiting on a federal privacy law.
Don't know whether that's going to happen. There were some obstacles, and the California
AG expressly spoke out against the federal privacy law that was proposed. And then if you're advising
(57:19):
global companies, you do need to know what the landscape is for compliance with these other
areas of law. Resources for you for specifically California. IAPP also has a great chart that
talks about all the states that have privacy laws. And then the takeaways here are that privacy is
(57:41):
timely. It's going to continue to adapt. There's not going to be less privacy laws. There are
going to be more. The other states laws are here, so you also need to understand them.
Businesses have to review and update their policies and internal practices at least annually,
but every six months right now. And you have to think of privacy compliance just like you think
of other compliance areas. So are they compliant with this in addition to being compliant for
(58:05):
employment reasons, in addition to be compliant for tax reasons? The technological limitations
are there as well. The law isn't keeping up with the technology. The technology is outpacing,
but we have to kind of understand that this is all very dynamic. We have to be creative about how
we're going to advise our clients on compliance. So again, the takeaway, if anything I can give you
(58:29):
is it's not just about preventing liability for the company. It really is about increasing
transparency, which will lead to customer loyalty and trust. It's proven that having these types
of policies that are easy to read actually helps you gain customers. I'm going to jump into Q&A,
and I have some questions that we still had, and I'm not going to be able to hit all of them. I'll
(58:52):
try. If you have questions, feel free to email me. I'm happy to shout on Zoom if I can help you,
or if it's something that I don't know, I'll let you know. Does this apply to employee private
information and data? Yes, right. So if you fall under the CCPA, then you do need to comply with
(59:12):
the employee notices as if the employee is now a consumer. So you need to tell them what information
you're collecting and how they can delete it. And for employment lawyers, keep aware that you need
to talk to the privacy lawyers, because let's say somebody says, I terminated my employment
and I want to delete all my information, but maybe they're in the middle of a lawsuit with you.
(59:33):
Hey, you got to talk. Both sides have to talk to know. Oh, there's so many. How do I stay abreast
of privacy laws? This is a great question because it is hard. I actually set aside a day,
most of a day, a week just to read because the laws are changing so quickly and so dramatically
(59:55):
that I think you have to stay up on it. There are plenty of law firm blogs that are great resources.
I happen to just know a lot of privacy people now. So LinkedIn, people will tell me, like,
hey, this came out, this came out. And I actually spent a fair amount of time on LinkedIn looking
at my trusted colleagues' evaluations and analysis of things. So if you are lucky enough to have
(01:00:18):
those people in your sphere, feel free to connect with me on LinkedIn. I try to post relevant things.
I know we're at 130. HIPAA, somebody asked about HIPAA. HIPAA is a federal privacy law,
and I think people get confused a lot. But yes, it does dovetail. But there's California,
the CMIA, the California Medical Information Act may actually be more relevant for some of your
(01:00:40):
clients. HIPAA only applies to covered entities, and there's a whole other track of stuff we can go
to there. Oh, gosh, there's so many. How should one approach to drafting a privacy with so many
states to cover? Is there a single lowest common denominator section? The good thing is that
California is really one of the vanguards. It's really one of the leaders. But I can't tell you
(01:01:05):
that if you just make it CCPA compliant, it would be compliant for other states because these other
states are coming in with new requirements. Maryland's coming out this coming year, and it has
some funky stuff in it. And then there are these non-privacy laws. Washington has its My Health,
My Data Act law that covers a lot of consumer data that we might not usually think of as medical data.
(01:01:27):
Colorado has its own quirks where it's requiring the GPC. But it's also, I think some of the states
are really trying to make their name in privacy by making it different from California, by really
challenging people on how to comply. I apologize that I couldn't get to everything, but I hope
you'll take away that privacy is amazing. If you want to make it part of your practice, I encourage
(01:01:49):
you. I'm happy to talk to you about it. But it's challenging. You have to stay up on this. It's not
where you're dealing with, you know, Paul's graph in law school and it being potentially precedent
for what you're doing. Sometimes there are no precedents here. So it's really about studying
and learning and maintaining your creativity on how to advise your client how to comply.
(01:02:12):
I want to thank the Beverly Hills Bar Association for this opportunity. I'm sorry there was so much
to cover. But I hope that you got something out of today and you have some actionable things you
can take back to your clients today and say, hey, maybe this is something that we should talk about.
So I'm Diana Iqtani-Law in El Segundo. And thank you so much for your time today.
(01:02:33):
And you may be eligible for CLE credit in your state. Visit bhba.org slash podcasts for more information.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com