Best Practices, ccpa, Laws & Regulations, Privacy Trends, Resources, Tech & Other Tools

How to Modify Your GDPR SAR Practices for the CCPA

{% video_player “embed_player” overrideable=False, type=’scriptV4′, hide_playlist=True, viral_sharing=False, embed_button=False, width=’1280′, height=’720′, player_id=’8431256244′, style=” %}

Original broadcast date: March 21, 2019 via IAPP Webconference

When it comes to operationalizing your privacy compliance, the need to create efficient ways to deliver data subject rights, specifically those related to subject access requests (including change or deletion), is essential to not only your legal obligations, but also to maintain high quality customer relationships. Honoring these requests is challenging enough operationally, and additional hurdles arise when attempting to comply with multiple laws in overlapping jurisdictions. Being able to deliver in an efficient and effective way is critical to achieving success with your business goals.

 

In this this educational web conference you will hear seasoned privacy professionals discuss tactical and practical ways you can refine your GDPR processes to also comply with subject access requests under the CCPA. You’ll also hear about how you can scale your processes to meet increasing subject access request demand volumes.

 

Host:

Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP

Panelists:

Jerrod Bailey, Chief Strategy Officer, Truyo, an IntraEdge product

Kate Lucente, Privacy, Data Governance and Cyber Security Partner, DLA Piper

 

Want to connect? Email Jerrod, Email Kate, or reach out at hello@truyo.com

 


Extended Q&A

These answers are provided for informational purposes only. They do not constitute legal advice or reflect any opinions on any particular law or regulation. The information contained herein is subject to change and may become inaccurate or outdated over time. You should seek guidance from independent legal counsel on these items.

CCPA ENFORCEMENT

Does CCPA govern non-profit organizations?

No. Reference article “1798.140” where part of the definition of a business requires “for profit of its shareholders” –Rod Forsythe, CPO at Truyo

 

How do we know that the AG will not enforce regs until July 1, 2020?

We know this is likely because the law expressly states that, while it will take effect January 1, 2020, the California Attorney General (“AG”) may not enforce the law until six months after the AG publishes final CCPA regulations or July 1, 2020—whichever comes first. Currently the AG’s office has said they anticipate publishing draft regulations for public comment in the Fall of this year, and publishing final regulations around the end of the year. So, if final regulations are published December 15, 2020, then the AG would be able to enforce the law on June 15, 2020. If the final regulations are not published until after December 31st, 2020, the AG will be able to enforce the law on July 1, 2020. – Kate Lucente, Partner at DLA Piper

 

DATA CENTRALIZATION

By placing all your data in a data lake, don’t you increase the risk of damage from data breach?

In most cases, a consolidated data lake can be hardened against attack much easier than many disparate systems. A single SQL database without adequate protection could house millions of records, serving as a much more accessible vector of attack. Furthermore, you do not necessarily have to create a single data lake, but rather using data lakes as a means of consolidating certain systems, while leaving data in place in already hardened, data-heavy repositories. – Jerrod Bailey, CSO at Truyo

 

With a data lake, how do you handle still deleting/anonymizing data in your backends? If a data lake contains copies of data, but all data actually “lives” in backend systems, how would you accomplish both?

The data lake keeps active copies of the data. If a “delete” request comes through the portal, the source systems are updated either manually or automated. When this occurs, that same transaction is re-sent to the data lake with empty contents, thereby removing the data from the lake. –Rod Forsythe, CPO at Truyo

 

If you have petabytes of personal information, how do you cost-justify having a copy of everything?

Even petabytes of information is not necessarily cost-prohibitive in a data lake scenario. Storage space is relatively inexpensive these days. The savings you will render in terms of manpower time may be far greater than the cost of storage. However, if the bulk of that data is sitting in only a few data repositories, then a mixed strategy may be the best course of action. That is, use data lakes to consolidate many smaller repositories, while leaving you data in other larger systems. – Jerrod Bailey, CSO at Truyo

 

DO NOT SELL INFORMATION

Could we link the Do Not Sell button to the same opt-in/opt-out capture page we use for GDPR cookies? We break our cookie acceptance down by categories, including marketing and analytics.. It seems like there is overlap there and it might make sense to utilize the same tracking system.

Potentially. It depends on your cookie management platform’s capabilities. In addition to however your cookie management solution tokenizes a particular user, you would probably need to collect a minimal amount of identification, like an email, and then either record that user to your CRM or track them in a separate list which you can integrate either manually on a regular basis or via API. – Jerrod Bailey, CSO at Truyo

 

Does Do Not Sell need to go on mobile sites/apps as well?

This is an area of expected clarification in the AG regulations, but given the nature of the requirement, it should not come as a surprise if the Do Not Sell link should be required to be prominently displayed in an app onboarding process, for example. – Jerrod Bailey, CSO at Truyo

 

If a business does not sell information, is the “do not sell my personal information” link still required?

Even if you do not sell data, this link is still required on all sites. – Jerrod Bailey, CSO at Truyo

 

The Online Behavioural Advertising example of Selling is quite confusing. Are you suggesting that if a customer clicks the “do not sell my data” button they are in effect opt-ing out of all OBA activity?

Given the broad definitions of personal information (which includes unique identifier such as IP address, cookie ID, device ID, customer ID) and of sale (includes disclosing or permitting access to personal information by a third party in exchange for monetary or other valuable consideration) third party advertising and analytics activities should be reviewed for CCPA compliance purposes.

For example, website operators/ publishers should review the third party cookies served through their website to determine whether any disclosures through such third parties are a sale under the CCPA. In particular, this may be relevant for third party OBA cookies, where the information collected via the is used to in support of the ad network and multiple advertisers. – Kate Lucente, Partner at DLA Piper

 

Where will companies provide employee privacy policies and “Do Not Sell My Data?

This is currently unclear and is exepcted to be clarified in the Attorney General Regulations or further amendments to the law. – Kate Lucente, Partner at DLA Piper

 

GDPR vs CCPA

You mentioned that being GDPR compliant may not be enough for CCPA. Can you go a little more in depth regarding the areas that a business would need to look into more in order to be compliant under CCPA?

The primary areas to focus on are (1) new data types that are in scope for CCPA, (2) third party and vendor agreements, (3) new or modified rights (e.g. Do Not Sell My Data).Rod Forsythe, CPO at Truyo

 

LEGAL EXEMPTIONS

Do you have suggestions for responding with “no” because data is covered by an exception?

Be careful about binary “no” responses, because the laws often do not cover data used for purpose such as a marketing, for example. But if you have grounds to deny a particular request impacting a particular data use, then a response such as the following may work for this purpose, “Your request has been completed with the following exceptions: Data governed by [law or compliance standard] could not be [provided/deleted] for [legal reasons]” – Jerrod Bailey, CSO at Truyo

 

Does the HIPAA exemption apply only to PHI/ECHRs or all personal information collected on the data subject?

The scope of the exemption depends on the role of the entity and the applicable exemption being relied on. – Kate Lucente, Partner at DLA Piper

 

What kind of health care related data would not be covered by the HIPAA exclusion?

The scope of the exemption depends on the role of the entity and the applicable exemption being relied on. – Kate Lucente, Partner at DLA Piper

 

PROCESSING DATA SUBJECT RIGHTS

Do you know of/have any resources for creating a SAR procedure?

Download the SAR Playbook here, provided by Truyo, for a deep dive on best practices in setting up your systems and processes for efficient processing of data subject access requests.Rod Forsythe, CPO at Truyo

 

{{cta(‘ec250143-f8c6-470d-adbe-0920de0c9be8′,’justifycenter’)}} 

Any recommendations for verifying a consumer request if the consumer does not, or will not, provide an email?

Identity must be validated at least minimally in order for a request to be valid. If email cannot be used, then it must be some other form of identity validation: phone number (send text or audio verification code), ID upload (sent through a 3rd party verification service), or some other method. The problem is that you will not be able to find a person’s data without at least one unique identifier, so a request is only valid if you have received that/those identifier(s) and the person’s identity has been validated. – Jerrod Bailey, CSO at Truyo

 

Can you define California resident?

The CCPA refers to consumers which is in turn defined as an individual who is a resident of California for purposes of the California tax code — so a resident under CCPA is essentially a resident for California personal income tax purposes. – Kate Lucente, Partner at DLA Piper

 

Can you discuss how CCPA requires categorization when responding to SARs? For example, the category of PI or the business use. How will this information be conveyed back to individuals?

When responding to SAR’s (and actually before at during collection of the data), you must inform the consumer what categories of information you collected (i.e. contact information, demographic data, browsing patterns, biometric information, etc.), the purposes of why you collect information (i.e. responding to complaints, new product announcements, communicate with you about your order, product recommendations, etc.). One of the subtle keys is that if you collect data and do not have a purpose attached to it, this is a red flag. Keep in mind, that you also are required to tell a consumer what categories of information you share with other companies and what categories of information you sell. However, this last point could reside in a privacy notice on your site. – Rod Forsythe, CPO at Truyo

 

Can you explain why employee data is covered?

Employment related information is specifically included in the section 1798.140 subsection (I). Additionally, if an employee is a California resident they are defined in scope twice. – Jerrod Bailey, CSO at Truyo

 

Could the photo validation be considered biometric information?

Yes, a photo can be considered a form of biometric information. – Jerrod Bailey, CSO at Truyo

 

Do explicit matches only satisfy GDPR and CCPA access right requirements?

The GDPR and the CCPA provide for realistic levels of effort in supporting individual rights. If fuzzy matching would result in the possibility of a data breach, which would then require significant manual efforts to eliminate such possibilities (but with no guarantee that manual efforts will catch 100% of the cases), then this level of effort may be considered onerous and exceed the level of effort required by the regulations. Therefore, explicit matching can be argued to support the requirements. – Jerrod Bailey, CSO at Truyo

 

Does a CA resident sitting outside of CA still have rights under CCPA? How do we verify a request is coming from a CA resident?

If your company is holding data on the resident, then yes, they still have rights under the CCPA. To validate whether the request is coming from them, you could simply ask them if they are a resident and then honor their request, or you could force them to prove their residency using any combination of photo ID upload and 3rd party services. While the definition of a consumer is quite broad (a natural citizen who is a California resident), the way it is written appears to cover a California resident who is traveling). It is also important to note that unless you specifically “deny” ; products being shipped, or services being offered or marketing emails being blocked ; to California residents you are most likely in scope for the CCPA (assuming your business meets the threshold of a business definition in CCPA). – Rod Forsythe, CPO at Truyo

 

Does CCPA apply to non-CA residents while visiting CA? In other words, the speaker mentioned possibly using IP address to determine what web behaviors should appear. I don’t think this makes sense, and only an affirmative statement from the data subject should be used to confirm residency. Can you confirm this?

The CCPA applies to California residents, not visitors of California. However, accurately determining residency is not always possible, in particular at the point of collection. For this reason, many companies are choosing to manage their data for CCPA compliance-in other words to assume all data collected/processed is subject to CCPA (e.g., for purposes of data mapping and enabling the technical controls needed to comply with access, deletion and do-not-sell requests).

Separate from this determination, some companies are choosing to extend CCPA rights to all users, while others may require some showing of residency by an individual exercising rights under the CCPA. The AG’s CCPA regulations are expected to address validating requests from individuals and so there will hopefully be a bit more clarity on what the AG views as reasonable from this perspective. – Kate Lucente, Partner at DLA Piper

 

Does the CCPA apply to employees or just consumers?

Yes, the CCPA currently applies to employees as well as consumers and households. – Jerrod Bailey, CSO at Truyo

 

In providing the disclosure as to the categories of PI collected, how broadly or narrowly should the categories be? For instance, is “Employment Data” an acceptable category or does it need to be more specific?

Employment data is likely sufficient. The AG’s CCPA regulations are expected to provide some clarity on the categories for purposes of the CCPA notice, privacy policy and transparency obligations. Our opinion is sufficient. – Kate Lucente, Partner at DLA Piper

 

In responding to an access request, CCPA requires a business to provide PI according to the enumerated categories of PI. How should a business respond to consumers if they are subject to multiple privacy laws with different categories of PI?

The CCPA’s reference to “categories” of personal information currently refers to the definition of personal information which enumerates certain types of personal information. As noted previously, we also anticipate the AG’s CCPA regulations will provide some clarity on the categorie”. It’s also important to consider whether any exemptions under the CCPA may apply (e.g., for certain personal information subject to HIPPA or GLBA). – Kate Lucente, Partner at DLA Piper

 

Is a CA Resident someone who has resided in CA for x years; is there some type of law that indicates they have to have lived in the state, x years to be a resident? If someone lives in Ohio but is in the service in CA does that mean they are a resident in CA?

The CCPA refers to consumers which is in turn defined as an individual who is a resident of California for purposes of the California tax code — so a resident under CCPA is essentially a resident for California personal income tax purposes. – Kate Lucente, Partner at DLA Piper

 

Is there any guidance on minors aged 16 -17 as far as opt-in or opt-out applies?

The CCPA contains conflicting language as to whether the consent obligations sales apply to personal information of minors 16 and under or to minors under 16. So, a clarification is needed as to the threshold for the consent requirement. For minors that are over the threshold, the general rule (right to opt out of sales of personal information) will apply. – Kate Lucente, Partner at DLA Piper

 

Is there any obligation on the user to block cookies?

The CCPA does not address cookies directly–however, given the broad definition of personal information, collection and sale, the information collected and/or disclosed via cookies is likely to be in scope for CCPA, including obligations to provide notice of the personal information collected and the purposes of use “at or before collection”, as well as the privacy policy disclosures and other requirements. – Kate Lucente, Partner at DLA Piper

 

Under CCPA, is anonymization a viable strategy to meet ‘erasure’ requests like it is under GDPR?

There is a bit of gray area for the CCPA. True anonymization (not being able to reverse engineer) is a viable strategy. However pseudanonymization is not because you could reverse engineer. Some argue that pseudanonymization is personal data (ie: it is not removed/unattached from a consumer) thereby not making pseudanonymization a viable strategy. – Rod Forsythe, CPO at Truyo

 

Under Individual rights to deletion, what are the available exceptions or conditions where request to delete may not be actioned?

In most cases, the denial of a delete request is restricted to certain data types and uses that already have another legal reason to keep that data (e.g. accounting laws, compliance laws, security purposes), but it does not include many marketing or sales purposes. For this reason, you will often partially comply and partially deny any particular request. – Rod Forsythe, CPO at Truyo

 

What are Kate’s views on the requirement to provide the 12 month look-back for the period before the CCPA is enforceable?

This is another area that the AG may clarify with regulations. For now, the safest approach is to assume that the look back period will apply when the CCPA takes effect and to prepare accordingly. This is consistent, for example, with the effect of the new and expanded rights that came into force under the GDPR. – Kate Lucente, Partner at DLA Piper

 

What specific categories in a response would suffice?

Examples of “depth” could include “New product announcements”, “Product Recommendations”, “Email Marketing”, “Contests”, “Servicing Loans,” etc. – Rod Forsythe, CPO at Truyo

 

Where CCPA primarily focuses on Consumer, how is a merchant that utilizes personal information for their business scoped?

All citizens of California are in scope, even if they are an employee, partner, customer, etc. – Jerrod Bailey, CSO at Truyo

 

SERVICE PROVIDERS & SHARING/SELLING OF DATA

Does “selling” include sharing personal data with your affiliate organizations?

Potentially. This will depend on the nature of the “sharing” and whether the affiliate is a controlled subsidiary or controlling parent of the relevant business. – Kate Lucente, Partner at DLA Piper

 

Does CCPA say that suppliers that an entity uses have their own (contractual) obligations but also that that SAR is their responsibility as well? In other words if an entity receives the SAR and they have share the data just to provide the service, then they would forward the SAR to the supplier who independently has their own obligation or does the entity who received the request have to manage compliance?

The CCPA distinguishes between businesses and service providers. Suppliers that meet the definition of a service provider may only process personal information in order to provide specific services to the business (and meet minimum contractual obligations); generally, service providers would need to forward requests to business and take direction from the business on how to respond. – Kate Lucente, Partner at DLA Piper

 

During the Q&A, could you expand on the discussion related to digital advertising and how companies need to look closely at this in relation to it being a “sale?”

Given the broad definitions of personal information (which includes unique identifier such as IP address, cookie ID, device ID, customer ID) and of sale (includes disclosing or permitting access to personal information by a third party in exchange for monetary or other valuable consideration) third party advertising and analytics activities should be reviewed for CCPA compliance purposes. For example, website operators/ publishers should review the third party cookies served through their website to determine whether any disclosures to such third parties are a “sale” under the CCPA. In particular, this may be relevant for third party OBA cookies, where the information collected via the third party cookies are used in support of the ad network and multiple advertisers. – Kate Lucente, Partner at DLA Piper

 

Given a company that has multiple legal entities (through past acquisitions), if a data subject provides their data to legal entity A, and that entity determines that legal entity B should respond back to the customer and transfers the contact record to legal entity B, is this transfer considered a “sale?”

This depends and the nature and purpose of the transfer and the relationship between the entities. – Kate Lucente, Partner at DLA Piper

 

How do we categorize and manage Service Providers differently from “Third Parties”, for contracts and understanding CCPA obligations?

You need to consider the nature of the relationship, the personal information disclosed and how the service provider/third party may use the personal information. To meet the definition of “service provider” under CCPA, minimum contractual terms are needed. – Kate Lucente, Partner at DLA Piper

 

How do we separate exchanging for benefit and engaging service providers where data is exchanged?

The best way to ensure a third party is a service provider is to ensure that you have in place a contract with the third party that contains the minimum requirements under the CCPA. – Kate Lucente, Partner at DLA Piper

 

If a partner receives a deletion request and sends it to my company, is the requirement to delete all of the data from that user that I received from the partner or all data that we have from that user?

This will depend on the context of the request and also whether any exceptions to deletion are available. – Kate Lucente, Partner at DLA Piper

 

If you have entered into a controller-processor DPA with a vendor is it reasonable to assume that transfer of data to that vendor will not be considered a “sale” under the CCPA?

There is a good chance that processors with whom a business has entered into a GDPR-compliant DPA will fit in the service provider bucket under CCPA; however, it is a good idea to review the contracts to confirm they meet the CCPA requirements for service providers and to assess any secondary uses of data permitted by the agreement. – Kate Lucente, Partner at DLA Piper

 

Is a CCPA service provider analogous to a GDPR processor? (i.e. is it required that data mapping/record compliance must be achieved by Jan or Jul 1919 to permit a full response to a DSAR on Jan or Jul 2020)

CCPA does not mandate data mapping or records of processing but they are necessary in order to enable compliance with the CCPA obligations. – Kate Lucente, Partner at DLA Piper

 

On to whom/from whom – is it just categories of third parties or do we need to name the third parties?

CCPA does not require the disclosure of the name of the company that information is sold or disclosed. However, disclosures of personal information to third parties for their own marketing purposes may trigger California’s existing “Shine the Light” law which includes additional obligations. – Kate Lucente, Partner at DLA Piper

 

What if we don’t sell information?

Arguably, you still must adhere to the “do not sell my information” link requirements, however it is not clear yet whether you will still need to capture and record their request. This is an area where amendments or AG regulations may provide clarity. – Kate Lucente, Partner at DLA Piper

 

You talk about 3rd parties should be participating in the DSAR process but you talk about it as if it’s a nice to have but it doesn’t sound like it’s mandatory. Can you speak more about if 3rd parties are a hard requirement or more of a nice to have?

Businesses are required to direct their service providers to delete in-scope information where relevant to a deletion request. – Kate Lucente, Partner at DLA Piper

 

{{cta(‘ec250143-f8c6-470d-adbe-0920de0c9be8′,’justifycenter’)}}

 


Author

Dan Clarke
Dan Clarke
President, Truyo
April 1, 2019

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today