With the rise of streaming TV, online commerce, messaging and contactless purchasing, there is more data out there. With pandemic economy dictating efficiency in spending, and third party cookies being phased out, publishers and brands are looking for the most efficient bang for their advertising buck. This data and how is it used is increasingly regulated both in the EU under GDPR and in the US under CCPA and the upcoming laws CPRA and Virginia CDPA. In this interactive webinar, Odia Kagan will discuss the unique issues around ad tech and personal data collection and will explain what publishers, and adtech providers need to think about when faced with compliance under these laws and what steps should they take now.
The webinar will cover:
• Advertising personalization data is personal data and personal information under CCPA and GDPR.
• Key requirements under CCPA, CPRA, GDPR
• Do not share my personal information?
• How do you disclose your practices transparently?
• Where does TCF factor in?
• Use and sharing is consent-based – but how does that work in real life?
Recorded webinar: https://youtu.be/GeIGqkLWcRk
4. • First comprehensive privacy law
• Signed into law on June 28, 2018.
• Went into effect January 1, 2020.
• Enforceable since July 1, 2020
• Enforcement already started, lawsuits filed
CCPA in a Nutshell
5. • Personal Information – very broad (even inferences).
• Detailed privacy disclosure(s)
• What’s in a sale?
• Yes, cookies too
• Financial incentive?
Key Issues in CCPA
6. • Data minimization + Purpose limitation
• Retention limitation
• Limitation on “sharing” (targeted advertising focus)
• Global opt out??
• Profiling and automated decision making
• DPIA
• Detailed obligations for service provider agreements
Key Issues in CPRA
8. Key Issues in VA CPDA
• Opt-in for sensitive information
• Reasonable administrative, technical and physical security
• Broad Data Protection Assessment requirements
• Process for de-identified information
• Detailed obligations for service provider agreements
• Obligations for data processors
• Children’s compliance - COPPA
10. • Effective: 10/19 (breach) 3/2020 (infosec)
• Holding personal information of NY residents
• Broad definition (CC number, biometrics)
• Detailed information security req’s
• Breach notification
Key Issues in NY Shield Act
11. • 4 phases 2/18 – 3/19
• Comprehensive cybersecurity program (governance, incident response,
internal policies, reporting, third party providers).
• First enforcement – Summer 2020
Key Issues in NYDFS Cybersecurity Regs
13. • Soriano - Offering / targeting must be “related to”
• EDPB 2021-2023 Action plan – More enforcement on Non-EU controllers
• New SCC’s – Do they apply to Art. 3(2) entities?
Extraterritorial Application of GDPR
15. • Court decision: Privacy Shield is dead; SCC’s need life support.
• EDPB Guidelines:
o No risk based approach
o No US cloud providers?
o What about intercompany transfers?
• New SCC’s
• What to do?
SchremsII and Aftermath
17. US: State laws
• Washington state – bill making progress
• GDPR concepts
• (almost) No private right of action
• New York
• Several bills
• Fiduciary obligations
• Private right of action + regulations
• Texas?
• Colorado?
18. US: Federal
• Increased privacy / cybersecurity focus?
• More FTC enforcement?
• Federal law?
• EU US Privacy Shield? /Surveillance laws
If you have a process for this under GDPR – is it sufficient?
If you have a process for this under GDPR – is it sufficient?
If you have a process for this under GDPR – is it sufficient?
Administrative Safeguards
Designate individual(s) responsible for security programs;
Conduct a risk assessment process one that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
Train and manage employees in security program practices and procedures;
Select capable service providers and require safeguards by contract; and
Adjust program(s) in light of business changes or new circumstances.
Physical Safeguards
Assess risks of information storage and disposal;
Detect, prevent, and respond to intrusions;
Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.
Technical Safeguards
Assess risks in network and software design;
Assess risks in information processing, transmission, and storage;
Detect, prevent, and respond to attacks or system failures; and
Regularly test and monitor the effectiveness of key controls, systems, and procedures.