Signature Privacy Policy Made Easy

Signature privacy policy

welcome to venables privacy law and policy webinar series today our topic is the california privacy rights act of 2020. i'm mike cignarelli a partner in venables privacy and cyber security practice and i'm joined with my colleagues chelsea raquel and ali montecolo and we're going to give you a deep dive on the particulars of the cpra and its relation to the ccpa and i'll note at the outset that there are several acronyms that we'll be using throughout the presentation we'll do our best to emphasize when we're talking about the california consumer privacy act which is the ccpa and the california privacy rights act which is the cpra and just to give you one more acronym there's the cppa which is the new california privacy protection agency created by the california privacy rights act for more than three years now our practice group has been in the middle of the legislative and regulatory debate in california helping shape the regulations and the amendments to the ccpa and advising clients on the application of the california consumer privacy act to their business models understanding their rights afforded to their customers and helping navigate those issues we are months removed from the enforcement of the ccpa and the effectiveness of the california attorney general's regulation in just a few days from now california residents will be heading to the polls to approve a new ballot measure known as prop 24 the california privacy right act which will overhaul the existing privacy law in california one administrative note there are cla credits available to you for participating in this webinar about halfway through the presentation and later at the end we'll be announcing your cle code so please listen out for that in this webinar we'll share the insights we've learned over the last few years around the ccpa and apply those to a new context in the cpra and discuss the specifics of the proposal how it relates to the ccpa compare it to the gdpr and then provide you some roadmaps for thinking about how to prepare for the cpra should it be approved on november 3rd by a majority of california residents so our first section is a little bit on the background and the procedure of the cpra how we got where we are today so first um just noting that the cpra will appear on the ballot this november 3rd for california residents to approve it's listed as proposition 24 and give you a sense of how many different propositions will be considered by california voters this november for consideration the cpra started much the same way as the ccpa did in 2017 as a ballot measure i think as many know that the ccpa did off-ramp though in june of 2018 to go to the legislature and one of the key calculus is in supporting that as an industry that off-ramping was the ability to amend a legislative vehicle versus a ballot measure the ccpa at the time included an amendment language that required a super majority to make any changes to the ballot once it was approved by california voters by taking it to the legislator gave an opportunity for all stakeholders to work with the legislature to improve and make sure that the law better reflected industry practices consumer expectations and and those rights that were afforded to them note here that the operative dates to be mindful of should this be approved is that the law would become operative in january 2023 and there would be a look back with some of the rights to january 2022 a little bit more on the amendment process the cpra can be amended provided that the amendments are in the furtherance of the purpose and intent of the cpra which is to enhance consumer privacy and it would be passable or mendable by a majority of the legislature which is again different than what we were looking at and considering when the cpa was about measure so the cpra would be amendable but again any changes would have to be in furtherance of the intent of the law there is some preemption language you can see here in the final bullet with respect to other laws in california preempting those by the cpra the timeline for the cpra is illustrated through this chain where it was initially filed in october and started then going out for the certification process obtaining signatures once that signature threshold was met it was filed with a secretary of state and this third circle is encircled in a in red because this is the point by which the ccpa was off off-ramped prior to certification once the measure was certified by the secretary of state which it was on june 25th it could not be removed from the ballot um and off-ramp back to the legislature so we're now moving forward to the consideration of it by california residents it'll be part of the ballot on november 3rd if it is then approved you can see here with some of the operable dates particularly at becoming effective in january 2023 with look backs to 2022 regulation process developing regulations implementing the cpra will be happening in 2022 was enforcement happening in july of 2023 on this slide you could see what the how the proposition is being presented in california this is from the voter pamphlet you can see that it is a list of highlights um presented talking about the operative requirements of the cpra and its benefits uh you see that it tells voters that it will establish a new agency change the requirements of what constitutes a business which we'll get into more detail later lay out new prohibitions restrictions note that there are increases in penalties for violations concerning consumers under the age of 16 and authorized civil penalties if approved the ccpa will continue to remain in full force in effect and then will be modified and new substantial requirements will be applicable start of 2023 it will create a new privacy protection agency um instilling enforcement and rulemaking authority in this new agency and then again just re-emphasizing the key dates these are very important as you're taking back information talking with your clients and your business teams to be mindful of these dates and we'll repeating them several times throughout the the webinar one final slide before i transition over to chelsea the proposition has got a both proponents and opposition to the prop 24. here you can see the mass head from a letter from different constituents from industry particularly trade association raising concern with prop 24 noting that the ccpa is such a new law that we don't fully understand the true impact and that more time should be provided to assess what is working not working for both consumers and businesses before we overhaul an entirely new framework the image on the right shows a video put out by the proponents of prop 24 this is supported by aleister mctaggart and what we've seen in the in the marketplace and throughout california uh that there are divergent views on the value and the benefits created from prop 24. i'll just note a few that there are more than 15 editorial boards of california newspapers that are opposing it the aclu the league of women voters the california nurses association the california small businesses both republican and democrat parties that noted polling from probably three weeks ago suggests that of the 60 percent of likely voters will approve prop 24. i think general con convention is that the cpra prop 24 will pass and become law in california so with that i will transition this to chelsea to walk you through a baseline of the tcpa all right thanks very much mike so we're just going to lay the groundwork here for a little bit of a reminder of what the ccpa has so that when we compare it to the cpra you have that fresh in your mind so this is just a brief overview the ccpa there's three different categories of entities there's the businesses the service providers and the third parties the majority of obligations which apply to the businesses under the ccpa there's three main rights the right to access right to deletion and to opt out of the sale of personal information and then there's also a number of requirements around consumer notice obligations the ccpa has a limited private right of action this is just around data breaches and not implementing and maintaining reasonable security procedures the penalties for that can range from the greater of a hundred to seven hundred and fifty dollars per consumer per incident or actual damages so when you're looking at per consumer that can equal real money class action suits are permitted and businesses currently have a 30-day cure period although i'll note that there are some situations uh you know where the horse has already been let out of the barn and breach situations that that is very much the case and then in california attorney general has the ability to bring enforcement actions for violations of all other terms um and the penalties there can range from 2500 for each violation to 7 500 for each intentional violation and also for the enforcement actions businesses also have a 30-day cure period and as a reminder the enforcement from the california g began back on july 1st of this year so what's been going on with the ccpa it has not been finalized we thought we had final regulations implementing the ccpa back in august which notably this was more than a month after the law became enforceable and then on october 12th we got an october surprise and the california ag proposed a third set of modifications and the comments on these are due tomorrow so it's not a ton of overhaul on the changes but there are some changes to be aware of we just quickly lay out a few of them here specifically offline personal information collection having the offline notice so posting signage in brick and mortar locations where personal information is collected for phone channels you may provide the required disclosures via phone and then on the opt out requests having straightforward links that are not cute don't use double negatives don't require too many actions and actually we saw an emphasis on this when the california ag sent out warning letters back in july and there was a speech by a california attorney general representative who said that when they sent out warning letters in july i talked about the ipp speech that they really emphasized the links and one of the ways that they got complaints was actually through social media as well so um just interesting to note that this is something that the ag is keeping their eye on and then modifications to verifying an authorized agent as well and if i could just add one thing to the amendments of the proposed by attorney general one area of interest is around the language about the effects of an opt-out and the regulations would limit a business's ability to communicate to consumers about the impact their opt-outs may have on their experience and the business itself i do know that the advertising and marketing and trade associations is a point of emphasis that they're going to make in their comments raising concerns about educating consumers about those impacts so that that may be something you may be interested in looking into and communicating to your your representatives or filing directly yourself on that point that there shouldn't be unreasonable restraints of communicating the impacts of do not sell opt-outs thanks kathy all right and over to ali great thanks um so now we'll kind of get into the more nitty gritty comparison of the cppa to the cpra and first we'll just provide a brief upfront snapshot of some of the main differences this list here is not exhaustive but it's just to put in one place some of the main things you all should be thinking about um we'll discuss the specific points listed on this slide in more detail as we progress but here you have some of the central points to note uh cpri would not replace the ccpa wholesale but instead it would materially amend the statute to add certain terms and to alter others so the cpra would add a right to correct inaccurate personal information provide an express right to opt out of sharing personal information for cross-context behavioral advertising add a right to limit the use and disclosure of a new category of data called sensitive personal information expand the ccpa's limited private rate of action for certain data breaches to breaches involving an email address in combination with a password or security question and answer that would permit access to an account um the 30-day cure period would remain the same for civil actions but as has been mentioned it becomes discretionary for the administrative enforcement actions by the new agency and the cpra also provides that instituting reasonable security procedures after a breach does not constitute a cure again there's a brand new agency called the cppa which will enforce and regulate the law and the new law will triple the maximum penalty for privacy violations affecting children under 16 will increase to 7 500 per intentional violation for those violations another thing that's important to note is that the cpra will change some of the ccpa's main entity definitions so as you all may already know the ccpa regulates three categories of entities which are businesses service providers and third parties the cpra would alter some of the definitions of those terms and would also introduce an entirely new category of entropy called a contractor into the legal regime so the first bullet on this slide kind of shows the main change that cpra would make to the ccpa's definition of business so under the ccpa the current law a business is a for-profit entity that does business in california collects personal information determines the purpose and means of processing that personal information and satisfies at least one of three data processing or revenue thresholds and under ccpa one of those thresholds is if the entity buys sells or shares for commercial purposes the personal information of 50 000 or more consumers households or devices however the cpra would change that threshold to a hundred thousand and would remove devices from the account so the threshold would apply only if the entity buy sells or shares personal information of a hundred thousand more consumers or households not devices another important point is the creation of the new term contractor in the cpra this entity is is very similar to a service provider there are only really minor differences in the definitions provided for those two entities under the cpra as you can see here a contractor is a person to whom the business makes available a consumer's personal information for a business purpose and in contrast service provider is defined as a person that processes personal information on a business's behalf for a business purpose so there is that slight minor difference between the definition of the two terms but the real differences are in the contracting requirements in the written agreements businesses must maintain with service writers and contractors which we'll highlight in just a few slides and finally the cpra slightly changes the definition of third party it adopts a similar construction as the ccpa by sort of defining the term in the negative by listing what a third party cannot be but the cpra's definition makes it slightly more clear that a third party cannot be the business with whom the consumer intentionally interacts a service writer to the business or a contractor so here we start to lay out some of the contracting requirements that i alluded to before for the agreements businesses must maintain with service providers contractors and third parties so this is one key point of note is that the cpra requires businesses to enter into agreements with third parties that contain particular terms and the ccpa did not include this contracting requirement between businesses and third parties it did have contracting requirements for service providers which are preserved so but not third parties so this is new so as you think about the cpra and its impact on your business you may want to consider the entity definitions we just reviewed and which categories your partners may fit into because those determinations will likely impact you know your contracting approach and the requirements you need to meet with those partners so here you can see cpri would require businesses to enter into agreements with those entities containing the following terms they must specify that the personal information is sold or disclosed by the business only for limited and specific purposes obligate the third party service provider or contractor to comply with applicable cpra obligations and provide the same level of privacy protection as is required of them under the cpra grant the business rights to take reasonable and appropriate steps to help ensure that the third party service provider or contractor uses the personal information transferred in a manner consistent with the businesses obligations under the cpra require the third party service provider or contractor to notify the business if it makes a determination that it can no longer meet its obligations and grant the business the right upon notice to take reasonable and appropriate steps to stop and remediate unauthorized uses of personal information now there are further requirements uh for contracts between businesses and service providers or contractors uh so in addition to the terms we just reviewed on the previous slide businesses contracts with service providers and contractors must contain these additional specific terms laid out here the first three sub-bullets here may look familiar to you as these are actually contracting requirements that are already in the ccpa for service providers however this fourth sub-bullet that starts here with combining is new so the contract now under cpra must prohibit the service provider or contractor from combining the personal information that the service provider or contractor receives from the business with personal information it receives on behalf of another person or collects from its own interactions with the consumer subject to certain exceptions to be defined by regulation additionally service providers and contractors must notify a business if they engage subcontractors and those subcontractors must be subject to a written contract binding them to all of the cpra requirements that the service writer or contractor is bound to in its own contract with the business you have a bit of a contractual slowdown provision there and finally as i mentioned before there are even more contracting requirements between businesses and contractors so in addition to the prior two slides requirements contracts between businesses and contractors must also include a certification made by the contractor that the contractor understands the restrictions and will comply with them and must permit the business subject to an agreement with the contractor to monitor the contractors compliance with the contract through measures including ongoing manual reviews and automated scans regular assessments audits or other testing at least once every 12 months if i could just add one thing here on the on the definitions and the different roles of entities the attorney general's regulations particularly around what service providers could do with data recognize that companies use data they receive from their customers for internal uses and have given some latitude and flexibility to improve the quality of products and services the cpra language has a more narrow provision for service providers it's not clear how that will work out through the regulatory process but that might be an area where you want to spend a little time internally thinking about whether the cc cpra changes your business operations with respect to your service providers or when you're acting as a service provider because that that is a a change from what the regulations currently provide back to you allie thanks mike so now we'll talk about some important new terms that have been added to cpra the terms are share and cross-context behavioral advertising so ccpa as you may know gives consumers the right to opt out of sales of personal information cpra retains this same right but adds an additional right to limit a business's sharing of personal information the definitions of share are is provided here uh it means basically transferring personal information to a third party for cross-context behavioral advertising whether or not for monetary or other valuable consideration and then they also provide a definition of cross-context behavioral advertising here as well it's defined as the targeting of advertising to a consumer based on the consumer's personal information obtained from activity across businesses distinctly branded websites apps or services other than the business so now the real impact of this new these new definitions and this new right could depend on how you were understanding the term sale under ccpa some businesses may have already been treating transfers or personal information for cross-context behavioral advertising as sales but others may not have been so the cpra makes clear that businesses must offer consumers the ability to limit such transfers for cross-context behavioral advertising and as part of that obligation businesses must offer a link on their web pages enabling consumers to opt out of sales and sharing of personal information and do not sell or share my personal information link so now we'll continue to dig in a little bit more to comparing the consumer rights and how those have changed under ccpa or under cpra um the main changes to the right to know and access involve changes relevant to the kind of additions the cpra makes to the ccpa as well as certain changes to timing the look back period for that right so as you may know the right to access under ccpa applies to specific pieces of personal information categories of personal information collected categories of sources from which such information is collected the business or commercial purpose for collecting or selling personal information and categories of third parties to whom the business sells personal information the cpra would extend that access right to categories of personal information shared with third parties additionally the cpra would require a disclosure of the length of time personal information will be kept and sensitive personal information which we'll discuss in just a few slides the timing change is notable here under the ccpa um the look back period for access requests is the prior 12 month period however under cpra the uh agency the uh the new uh privacy protection agency is given the authority by regulation to extend that period beyond the prior 12 months unless doing so or providing access to that information would be impossible or involve disproportionate effort so we could see the new agency issue a rule saying that access rights need to apply you know to the prior 24-month period or 36-month period but it will not extend prior to january 1st 2022 so that's kind of really the start date for all of this um although the ag does have or the new agency does have the ability to extend that time period by regulation uh now moving on to comparing the the right to delete term um so under the ccpa businesses are required to respond to consumer requests to delete personal information and they have to pass such deletion requests along to their service providers there are certain exceptions which are listed here i won't read them all aloud to you but there are certain exceptions to the right to delete under the ccpa under the cpra businesses must notify their contractors in addition to their service providers of a request to delete and it makes clear that service writers and contractors who deletion requests directly from consumers don't need to comply with them if they collect use or process personal information in their role as a service provider or contractor the real um important point to key in on here though that is a kind of a big change from the ccpa is that businesses under the cpra are required to notify third parties to whom they sold or shared personal information to delete personal information after receiving a request so this deletion passed through to third parties was not something that was included in the ccpa and will likely require you know some significant steps to operationalize whether that's passionate passing a deletion flag to your third parties or communicating it in some other way this is really the the most notable change um we think to the uh the regula the cpra or the ccpa via the cpra additionally as we mentioned before the ccpa does not currently contain a right to correct personal information but the cpra will provide that new right this is a right that's inherent in the gdpr as well so it may not be totally unfamiliar but that will be something new as far as california law goes additionally under the ccpa there is a right to non-discrimination where a business cannot discriminate by denying goods or services or charging different prices or rates or providing different levels or quality of service to consumers for exercising their rights under the ccpa and during the um the regulatory period under ccpa there was some question as to whether this right might prohibit or limit the provision of loyalty programs or discounts that you know brands and businesses might offer to consumers for giving them personal information or allowing them to disseminate personal information however the cpra does provide one helpful point here they they basically recast the right as a right to know retaliation but it's very much the same but there's an additional term in the cpra that says that the subdivision does not prohibit a business from offering a loyalty rewards premium features discounts or club card program consistent with the title so that could be um you know some uh i guess consolation to companies who might have been worried that the right to non-discrimination would inhibit their loyalty programs additionally both the ccpa and cpra provide for a right to opt out of personal information sales under the ccpa the way that businesses must provide that right is through a do not sell my personal information link if they collect information online under the cpra though as we've already discussed there is not just a right to opt out of personal information sales but also that sharing which is transfers for cross-context behavioral advertising so the link has changed accordingly must be called do not sell or share my personal information um and on this on this do not um this this right to opt out of sales piece um there is an additional thing to note about um browser device browsers and device signals that we saw kind of develop through the ccpa regulatory process so the ccpa provides a right to opt out of sale of personal information and the ccpa regulations the ag kind of interpreted that term to mean that any kind of user enabled settings or global privacy control functions as a valid opt-out request meaning that any kind of uh control or you know widespread signal that a consumer may have set through a browser or other kind of privacy plug-in could cast you know a do not sell signal across you know the internet marketplace to all kinds of businesses so that is the regime we're living under now and we've already seen some development of global privacy controls on the market we've seen some browser plugins come out for consumers to download to cast these do not sell requests across the marketplace and that's a requirement currently under the ccpa regulations for businesses to honor those requests as do not sell requests however cpra takes a bit of a different approach uh it explicitly says in the initiative that a business isn't required to honor a global opt-out signal but they have the choice of honoring such a signal or offering a do not sell my personal information or share my personal information link so the cpra gives businesses the choice to either offer that link or honor the global control and this is important for a number of reasons but mostly because uh with a global control you might you are more likely to see a decrease in the amount of data supply across the the marketplace if if consumers can cast a single signal across all businesses there's going to be a downtick in the amount of data available for marketing and other purposes but under cpra which provides a little bit more flexibility on this piece businesses have the choice so as we've alluded to before the cpra adds a new term called sensitive personal information and defines that term and provides an attendant right kind of associated with this term so first the definition of the term is is kind of um data elements that you might have seen or heard of before as being categorized as sensitive in some other regimes um personal information that reveals a social security number or driver's license number account login or financial account number in combination with required security or access code password or credentials allowing access to the account precise geolocation is included in the definition of sensitive personal information racial or ethnic origin religious or philosophical beliefs or union membership that kind of gets that a bit of the gdpr's definition of a special category of personal information so that's similar there the contents of a consumer's mail email text messages genetic data biometric information and other information is included on this definition uh does not include anything that is publicly available but the right that's attendant here is that californians are able to limit a business's use and disclosure of this information to and limit the use to certain kinds of uses only uses that are reasonably expected uses that are uses to help ensure security and integrity uses that are short-term or transient uses that are necessary to perform services on behalf of business and uses to verify or maintain the quality or safety of a service so a california consumer now under the cpra can submit a request to a business to limit the businesses use and disclosure of sensitive personal information this is a new right under cpra we'll note though very importantly this right is really only available to sensitive personal information that is collected or processed with the purpose of inferring characteristics about a consumer so only then are consumers able to submit a request to opt out or to limit a business's use and disclosure of this information the california privacy protection agency is directed to define that phrase purpose of inferring characteristics about consumer by regulation so we'll know more about what they mean by that once they issue regulations but this right is tied to that specific use their collection or processing with the purpose of inferring characteristics about a consumer additionally there are some changes to the privacy policy and notice disclosures as well as some notable changes to the exemptions on cpra um privacy policies under cpra have to contain certain disclosures related to sharing personal information and sensitive personal information which sort of makes sense if they're adding these new terms these new rights they're going to also require disclosures relevant to these things additionally we briefly went over the the links that need to be made available the home page notices may combine the disclosures of do not sell or share my personal information and limit the use of my sense of personal information into a single clearly labeled link so these links are both required however there is the option to combine them into a single clearly labeled link if you do all of these activities and need to provide opt-outs and limitations for these activities the cpra expressly allows you to combine them into a single link instead of having two or three on your site additionally uh notices at the time of collection under cpra must contain information about data retention this is not something we saw under ccpa there's no real disclosure requirement for retention but now we are seeing it under cpra and additionally one important point about the exemptions is that cpra would extend the exceptions for employee and business to business data until january 1st 2023 california just a few months ago passed ab1281 which extended those exemptions which are currently effective under ccpa until january 1st of 2022 but if the cpra is approved they will be extended until january 1st 2023 all right now i'm going to turn it over to chelsea to talk a bit about enforcement all right thanks ali and we're just going to pause here for one moment for those folks who are getting cle credit for this presentation the code to use is cpra 2020 again that's cpra 2020 for the cle code all right so now on to enforcement so this is just a little bit of an overview of ccpa versus pra the private right of action as i talked about earlier with ccpa it's very very limited it's just within the context of a data breach and then for cpra what's added on to that is it includes breaches involving email addresses with a password or security question permitting access to the account and there's still the 30-day cure period in both of the private right of actions and then the cpra just outlines that implementing reasonable security procedures does not constitute a cure and there is also no cap on civil penalties i'll mention as well for agency enforcement same thing 30-day q period for ccpa that actually changes with the cpra so under the cpra there can be a cure period but it's discretionary uh to the agency so that gives businesses quite a bit of pause right now if you get a letter you are insured that your period and that that is going to change under cpra and um under the cpra the ag and this new enforcement agency will be working alongside each other and it's unknown right now exactly how that relationship is going to evolve and how enforcement will move forward under that but that's just one thing to be apprised of and another thing i'll say on the private right of action is that right now under the ccpa it's been really interesting how it's been moving forward meaning that cases have been brought under the data breach allowance but also outside of that and the ccpa on its face does not allow it but plaintiff's attorneys are trying to move forward on just violations of the ccpa for notice and all sorts of things outside of just the data breach those have been moving slowly we haven't received any huge opinions on that front so it'll be interesting to see with the cpra how the private right of actions move forward and if the cases that we see coming forward are changing one area to keep a lookout for is figuring out if a violation of the ccpa or now the cpra would be considered a predicate act for something like the unfair deceptive claim act under california law which there have been cases filed under but no decision on that front yet right now to ally all right so now we'll discuss a little bit about this brand new agency uh that's going to be set up by the cpra which is called the california privacy protection agency or the cppa the agency will be comprised of a five-member board including a chair of the board the chair and one member of the board will be appointed by the governor of california and then the attorney general the senate rules committee and the speaker of the assembly will each appoint one other member of the board and these appointments will be made from among californians with expertise in the areas of privacy technology and consumer rights and members of the board will serve at the pleasure of their appointing authority but not for more than eight consecutive years so this new agency may also investigate possible violations of the cpra upon the sworn complaint of any person or on their own initiative as we've mentioned numerous times there's no guaranteed 30-day cure period but it is discretionary and the agency can choose to extend its cure period but it's not guaranteed administrative fines for violations of the cpra may extend from 2500 for each violation to 7 500 for each intentional violation or any violation including the personal information of a minor consumer and as we've noted before the new agency is authorized to assume rule-making responsibilities from the attorney general and the way that will work is that at least what it says in the statute is that the new agency will notify the attorney general that it's ready to assume rule making responsibility so after you know there's going to be some time for the appointments and to get everything set up the agency will then notify the ag it's ready to assume these rulemaking responsibilities and we'll go from there july 1st 2022 is the deadline for the new agency to adopt final regulations implementing the cpra and then enforcement may begin starting july 1st of 2023 so there is a lot of new regulatory authority afforded to the california attorney general and which will then be transferred to the new agency under this under the cpra the ccpa provides certain specific regulatory directives in addition to a broader directive to promulgate regulations as necessary to further the purposes of the cp ccpa cpra is similar there is authority to issue rules to further the purposes of the title as well as a bunch of other much more specific directives and we just provide a few examples here but this is an area to keep your eye on because as we saw with ccpa it's very likely that the regulations under cpr it will provide much much more color and information regarding how this law actually must be operationalized so some of examples of the specific regulatory authority areas are the new agency will be asked to issue regulations to define or add additional color to specific terms and those terms are precise geolocation sensitive personal information specific pieces of personal information de-identified unique identifier intentionally interacts among others so they're asked to kind of further flesh out these terms by regulation additionally the agency is a to issue regulations to require cyber security audits or risk assessments for businesses whose processing of personal information preven presents a significant risk to privacy or security again to be defined by regulation so here's kind of a whole other requirement that could sort of be added by regulation or might be added by regulation should the agency take this up additionally they will define when allowing consumers to access personal information collected beyond the prior 12-month period would be impossible or involve a disproportionate effort if you recall on that prior slide we noted that the new agency will have the ability to extend kind of the look-back period past the prior 12-month period for access requests and businesses would have to comply with that unless it was impossible or involved a disproportionate effort to comply with that type of access request but here the agency is given the authority to define what that means so it's not just going to be subject necessarily to a business interpretation but the agency will provide you know additional insight on what it actually means for that to be impossible or involve a disproportionate effort um additionally the agency is going to likely promulgate rules about access and opt-out rights with respect to businesses use of automated decision-making technology including profiling these are terms that are defined by the law so there will be likely be rules with respect to that and additionally they will they have the authority to issue technical specifications for an opt-out preference signal as we discussed with the the browser signals and privacy controls those are discretionary under cpra but the agency is given the ability to issue technical specifications for the development of a universal control all right now pass it on to chelsea to tackle the the gdpr great thanks ali so we're in our home stretch now we're just going to quickly go through some points of bpra to gdpr and then we'll go through what this means operationally for your business to do now to prepare for cpra and if we have time at the end we'll take some questions so cpra compared to ddpr as a lot of you are aware gdpr was adopted and went into effect a few years ago in gdpr we have the controller and the processors and cpra we have businesses service providers and now also the contractors and third parties as well so the applicability of gdpr is a little bit wider than what we see with ccpa and cpra so for gdpr you know you can have a single employer agent established in the eu and also the intention to offer goods or services to eu data subjects whereas the cpra doing business in the state of california is a prerequisite for being a business subject to cpra while the gp gdpr excuse me does not require one to actually conduct business within the eu in order to be subject to terms so here we just give a side by side what's interesting to note with the cpra is it starts to get a little bit closer to the gdpr than where we were with ccpa so this is just a comparison of some of the similarities of calling it consumer rights versus individual rights under gdpr collection and processing requires a lawful basis cpra it's allowed but subject to disclosures and opt out you see the sensitive personal information coming in with the cpra gdpr we have the special categories and then you see these agencies being established as well to oversee these processes so these are a few provisions that compare the cpra and the gdpr that we didn't see with the ccpa so like ali talked about this right to restrict use of sensitive personal information correcting data the agencies the requirement to conduct assessments of high-risk processing activities so that gets much closer to gdpr and high-risk data processors will be required to perform a cyber security audit on an annual basis and some of the factors to be considered or if processing will result in a significant risk is your typical size and complexity of the business nature and scope of processing activities but high-risk data processors will also have to submit to the new california agency on a regular basis a risk assessment that includes things like information about processing the sensitive personal information weighing the benefits of processing that information against risk etc we also see profiling and automatic decision making come into play with cpra which we did not see with ccpa so the new regulations that will come out will govern access and opt-out rights with respect to businesses use of automated decision-making technology the regulations are charged with requiring businesses response to access requests to include information about the logic involved in the decision making processes and a description of the likely outcome of the process with respect to the consumer um as we had alluded to before you start to see right to data minimization not showing personal information longer than necessary start coming into play as well all right so how to prepare for the cpra you're probably thinking you did so much preparation for ccpa you really have to go through all that again do you have to do anything and the answer is yes there are some immediate steps that you need to take um even though it doesn't become operative for a little bit you know many of you i'm sure went through the ccpa preparation process that took a long time to get together and figure out things on the back end and request and all of that so for cpra there are some things that need to be done starting as soon as it's passed so in addition to the steps that you already took for the ccpa some other things that you need to do are review and update your privacy policy and consumer facing notices so specifically on the home page we talked about having that do not sell my personal information do not sell or share my personal information and limit the use of sensitive personal information you can combine that all into a single link but it has to be clearly labeled it can't have cute language it needs to be very obvious and then adding to your privacy policy the new right to correction with sensitive personal information we would suggest data mapping to understand if your business is processing sensitive personal information in what way it's doing that like i said adding the link on that front and then looking at your partner contracts so checking with partners to see what category they fall under are they third parties are they service providers are they contractors what are they doing to prepare for cpra if anything and then once you make that determination making those contractual provision updates that ali went through in great detail and then also developing a plan for passing on deletion flags to partners which as we talked about is a new requirement also taking stock of cross-context behavioral advertising determining the extent which your business may share personal information for this and the best way you can effectuate opt-out requests and then also just staying apprised of the new laws and developments as we saw with ccpa we saw regulations come out and then change and then come out and change and same thing we predict is going to happen there's going to be a lot of changes and especially you add in the new element of this new agency that will be created just staying on top of what's going on as the law progresses all right and with that i'll pass it to mike thank you um we have some time to take a few questions that came in through the chat during the during the conversation first one is in an agency context about how to contract with service providers and contractors when representing advertisers or brands i think you can answer this question in one of two ways one is are you allowed to engage subcontractors and the cpra does permit a contractor or service provider to bring in sub processors provided that there are pass-through requirements that the service provider is subject to which would flow down to the subcontractor sub-processor the other is whether or not existing service offerings can fit within a contractor or service provider construct and that is too early to know and really will depend on your partner your vendors and the services that they're offering and i think we'll learn more once this comes into effect and see how the marketplace reacts and responds but theoretically provided that your subcontractor can work within the limits of being a contractor or service provider you would be able to engage them on behalf of your clients and work with them question two is around deletion requests in regard to service providers and contractors today service providers are required to effectuate deletion requests that come through from the business that will continue under the ccpc pra but adding to that are now contractors so you would have to cooperate both service provider and contractor with deletion requests passed by the business to the entity like under the ccpa the cpra does not require either service provider or contractor to process deletion requests received directly from the consumer those requests must come through the business and direct it to the service provider or contractor there is a another question related to the risk assessments and reporting those to the attorney general whether or not we can expect any sort of standards to come into play to help businesses provide those reports the the attorney general and as well as the cppa do have um discretion to promulgate regulations to effectuate the law this could be an area where they do provide guidance we did see under the current regulation that there were some areas where the attorney general exercised discretion and didn't provide guidance and this could be an area where that happens i would expect that we will see um maybe industry developing some best practices or guidance into space if the attorney general does not take action um there's one final question about related to the impact of cpra changes to targeted marketing and the use of location data and marketing products um i'll give you the early answer that all this is very fact specific but i will also direct you to the processing of sensitive personal information that term does include location data as part of sensitive personal information that does provide the right to limit the use and disclosure of that information and then there's also the cross-contextual behavioral advertising as an industry we think of that often as interest-based advertising and allowing for limits the sharing of that information and then also looking under the current ccpa and whether those transfers would constitute a sharing that is considered a sale and subject to a do not sell request that concludes um our questions and our uh presentation again for those who are interested in cle credit the code is cpra 2020 we thank you for your time um and thank you for joining us today have a good day you