With the rise of streaming TV, online commerce, messaging and contactless purchasing, there is more data out there. With pandemic economy dictating efficiency in spending, and third party cookies being phased out, publishers and brands are looking for the most efficient bang for their advertising buck. This data and how is it used is increasingly regulated both in the EU under GDPR and in the US under CCPA and the upcoming laws CPRA and Virginia CDPA. In this interactive webinar, Odia Kagan will discuss the unique issues around ad tech and personal data collection and will explain what publishers, and adtech providers need to think about when faced with compliance under these laws and what steps should they take now. The webinar will cover: • Advertising personalization data is personal data and personal information under CCPA and GDPR. • Key requirements under CCPA, CPRA, GDPR • Do not share my personal information? • How do you disclose your practices transparently? • Where does TCF factor in? • Use and sharing is consent-based – but how does that work in real life? Recorded webinar: https://youtu.be/GeIGqkLWcRk

2. Agenda
• California: CCPA/CPRA
• Virginia: CDPA
• New York: NY Shield
• EU/US: GDPR Extraterritorial + Cross
Border
• US: What does the future hold?
• Q & A

3. Key Issues in CCPA/CPRA

4. • First comprehensive privacy law
• Signed into law on June 28, 2018.
• Went into effect January 1, 2020.
• Enforceable since July 1, 2020
• Enforcement already started, lawsuits filed
CCPA in a Nutshell

5. • Personal Information – very broad (even inferences).
• Detailed privacy disclosure(s)
• What’s in a sale?
• Yes, cookies too
• Financial incentive?
Key Issues in CCPA

6. • Data minimization + Purpose limitation
• Retention limitation
• Limitation on “sharing” (targeted advertising focus)
• Global opt out??
• Profiling and automated decision making
• DPIA
• Detailed obligations for service provider agreements
Key Issues in CPRA

7. Key Issues in VA CDPA

8. Key Issues in VA CPDA
• Opt-in for sensitive information
• Reasonable administrative, technical and physical security
• Broad Data Protection Assessment requirements
• Process for de-identified information
• Detailed obligations for service provider agreements
• Obligations for data processors
• Children’s compliance - COPPA

9. Key Issues in NY
Shield / NYDFS

10. • Effective: 10/19 (breach) 3/2020 (infosec)
• Holding personal information of NY residents
• Broad definition (CC number, biometrics)
• Detailed information security req’s
• Breach notification
Key Issues in NY Shield Act

11. • 4 phases 2/18 – 3/19
• Comprehensive cybersecurity program (governance, incident response,
internal policies, reporting, third party providers).
• First enforcement – Summer 2020
Key Issues in NYDFS Cybersecurity Regs

12. GDPR Extraterritorial

13. • Soriano - Offering / targeting must be “related to”
• EDPB 2021-2023 Action plan – More enforcement on Non-EU controllers
• New SCC’s – Do they apply to Art. 3(2) entities?
Extraterritorial Application of GDPR

14. SchremsII and its Aftermath

15. • Court decision: Privacy Shield is dead; SCC’s need life support.
• EDPB Guidelines:
o No risk based approach
o No US cloud providers?
o What about intercompany transfers?
• New SCC’s
• What to do?
SchremsII and Aftermath

16. What does the future hold?

17. US: State laws
• Washington state – bill making progress
• GDPR concepts
• (almost) No private right of action
• New York
• Several bills
• Fiduciary obligations
• Private right of action + regulations
• Texas?
• Colorado?

18. US: Federal
• Increased privacy / cybersecurity focus?
• More FTC enforcement?
• Federal law?
• EU US Privacy Shield? /Surveillance laws

19. THANK YOU
?
OKagan@foxrothschild.com Odia Kagan