Data privacy presentation
- 1. Today’s Data Privacy Landscape A High Level Comparison of the GDPR and CCPA
- 2. Data Privacy is Not New Many specific industries have their own acts governing data compliance. Medical Financial Educational Telecommunications Workplace FTC Enforcement
- 3. Recent Events Now consumer rights and protections are demanded due to rise in breachs. 2013 - Yahoo - 3 billion accounts 2014 - eBay - 145 million accounts - using corporate employee logins 2017 - Equifax - SSN of 143 million - credit card numbers of 209,000 2018 - Marriott - 500 million customers - Chinese intelligence group had access for 5 years without detection
- 4. What is the Solution? European Union and California lead the way to create uniform laws in data protection. General Data Protection Regulation in European Union - (GDPR) California Consumer Privacy Act - CCPA No Federal Legislation to Date
- 5. Who Must Comply? GDPR ● Businesses in the EU (regardless of where processing occurs) ● Businesses outside the EU ○ That offer free or paid goods or services to EU customers; or ○ That monitor behavior of EU customers.
- 6. Who Must Comply? CCPA - ● All businesses that collect personal information from California residents. ● A business under the act is defined as: ○ Businesses that earn $25,000,000 or more a year in revenue ○ Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes ○ Business that derive 50% or more of its annual revenue from selling consumer personal information
- 7. What is Personal Information? GDPR Personal data means any information relating to an identified or identifiable natural person. CCPA Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Unique Examples: IP Address, Search History, Biometric Data, Geolocation
- 8. Requirement to Inform (Before Collection) GDPR ● Must inform customers: ○ The data that is being collected ○ How the customer’s data being used CCPA ● Same as GDPR plus: ○ Categories of PI that businesses have collected, sold or otherwise disclosed during preceding 12 months must be in the online privacy policy.
- 9. Consumer Opt-Out v. Opt-In CCPA ● Need to give option to “Opt-Out” ○ If customer does opt-out cannot request to opt-back in for 12 months. ● Cannot sell data if consumer requests; or ● If consumer is a minor (unless minor has opted-in); and ● Cannot discriminate for opting out GDPR ● Consent is required at the onset of collection of information ● Need to implement “Opt-In” methods
- 10. Unique Issue Arises GDPR ● Requires privacy notices that inform customer of rights FTC ● Cause of Action for Unfair and Deceptive Business Practices ○ If you have a privacy policy that you do not comply with
- 11. Consumer Access to PI GDPR ● A free copy of the personal data ● Purpose of processing ● Categories of data processed (e.g., name, address, etc.) ● Any third party recipients ● Where the data came from (directly from consumer or not) ● How long such personal data would be stored ● Any automated decision making based on data
- 12. Consumer Access to PI CCPA ● Information collected; ● Categories of information collected; ● Categories of third parties with whom the information is shared; ● Categories of sources of the information; ● Business or commercial purpose for collecting or selling personal information. GDPR is Broader i.e right to retention period and automated decision making
- 13. Required Security Protocols Both the CCPA and GDPR require “reasonable” security measures. GDPR If handling sensitive information: ● Must appoint data protection officer; ● Implement privacy by design; and ● Undertake data protection impact assessments for new technologies implemented.
- 14. Right to be Forgotten CCPA ● Only applies to data collected from consumer GDPR ● Applies to all data regardless of source ● Should be deleted if no longer needed (i.e. data minimization)
- 15. Liability GDPR ● You may be fined for up to €20mm or 4% of your worldwide turnover (revenue), whichever is greater. ● You may also be subject to lawsuits by affected data subjects.
- 16. Liability CCPA ● If brought as a civil action by persons violated: ○ Not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. ○ (Marriott would have been Three Billion Seven Hundred and Fifty Million Dollars) ● If brought by Attorney General: ○ Any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation; or ○ Two thousand five hundred dollars $2,500 for unintentional violations if a business fails to cure unintentional violations within 30 days of notice of alleged non-compliance.
- 17. Conclusion Consumer Rights: ● Right to know what information is being collected ● Right to know if information is being sold ● Right to say no to sale of personal information ● Right to access personal information ● Right to not be discriminated against if exercise rights