6 MONTH COUNTDOWN

TO CALIFORNIA
CONSUMER PRIVACY
ACT (CCPA) FOR
RETAILERS

June 12, 2019

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK
company limited by guarantee, and forms part of the international BDO network of independent member firms.
With you today

Karen Schuler Rebecca Shore-Suslowitz Rick Wilson Shannon K. Yavorsky

Principal, National Senior Counsel & Director, VP, Strategy & Solutions Partner
Governance & Compliance Global Privacy Sherpa Software Venable LLP
Practice Leader Under Armour rwilson@ skyavorsky@
BDO USA, LLP rshoresuslowitz@ sherpasoftware.com venable.com
kschuler@bdo.com underarmour.com

2 CCPA: 6 Month Countdown for Retailers

Agenda

 Welcome and Introduction

 CCPA Background
 Preparing for Compliance & Determining Scope
 Scope of Personal Info & Business Impact
 Notices and Service Provider Contracts
 Selling and Sharing Data
 Minimizing your exposure post January 1
 Managing the Risk of an Uncertain World – Open
Discussion and Q&A

3 CCPA: 6 Month Countdown for Retailers

Privacy & data protection drivers
REGULATIONS
New privacy and data
protection laws and regulations
(with teeth) are being drafted
and taking effect in the US, EU
and across the world
4 CCPA: 6 Month Countdown for Retailers
DATA BREACHES & HACKS
Data breaches & hacks lead to
adverse media attention,
business disruption, customer
trust erosion, goodwill and
reputation loss, criminal and
civil penalties and costs,
complaints and lawsuits and
loss of revenues
INNOVATION
 Implementations of AI,
Blockchain, Robotic Process
Automation, Internet of
Things etc. are bringing
about new and different uses
of personal data and privacy
concerns
Consumer demands are shifting

73% of consumers 66% have

changed privacy 67% think the
say their concern
settings, removed government
over privacy of
a social media should do more
personal data
account or to protect data
has increased in privacy
declined terms of
the last few years
service

Source: https://www.sas.com/content/dam/SAS/documents/infographics/2018/en-data-privacy-109964.pdf

5 CCPA: 6 Month Countdown for Retailers

 HIGHLIGHTS

The General Data Protection Requires legal bases before personal

data processing

Regulation (GDPR) Required international data transfer

mechanisms before moving data out
of the EU
Meanwhile in Europe…
Enhanced data subject rights
including:
The GDPR in effect since May 2018 imposes new rules on 1. Right to Know
organizations that offer goods and services to people in the 2. Right to Access
European Union (EU), or that process, monitor and analyze 3. Right to Data Portability
personal data tied to EU residents, no matter where they are 4. Right to Rectify
located. Applies to: 5. Right to Restrictions
6. Right to Object to Automated
Decisions
• “Controllers” that determine means and purposes of 7. Right to be Forgotten
processing of personal data
• “Processors” process personal data on behalf of Controllers Privacy by design and default

Obligatory Data Protection Officer

(DPO)

FINES UP TO 4% OF GLOBAL REVENUES OR €20M (WHICHEVER IS HIGHER)

6 CCPA: 6 Month Countdown for Retailers

GDPR: One year later, enforcement in action

7 CCPA: 6 Month Countdown for Retailers

 HIGHLIGHTS

California Consumer Privacy Act Broad definition of PI includes

identity, commercial, professional,

(CCPA) electronic, behavioral, inferential,

financial, transactional, biometric
and educational data

600 + State laws and counting… Enhanced disclosure obligations to

consumers regarding how and from
whom PI is collected, used, shared,
The CCPA going into effect January 1, 2020, gives Californians disclosed or sold to
the most sweeping, comprehensive and empowering consumer
privacy rights in the country. The act sets requirements that Enhanced consumer rights
including:
regulate and attempt to limit the sale of personal information
1. Right to Know
(PI). These restrictions apply to “for profit” businesses who:
2. Right to Access
3. Right to Data Portability
• Have annual revenues > $25M 4. Right to Say No or Opt-out
5. Right to Equal Service
• Make 50% annual revenues from sale of personal information
6. Right to Deletion
• Buy, sell, share PI of > 50,000 CA residents

PRIVATE RIGHT OF ACTION AND PER CAPITA FINES UP TO $750 PER RECORD

8 CCPA: 6 Month Countdown for Retailers

Comparing CCPA to GDPR
A framework to understand the requirements

PRINCIPLES RIGHTS OF THE DATA SUBJECT

 Fair, lawful, and transparent  Right to Know
 Purpose limitation DATA SUBJECT  Right to Access
PRINCIPLES Data minimization Right to Data Portability

RIGHTS 
 Accuracy  Right to Rectify
 Storage limitation  Right to Restrictions
 Integrity and confidentiality  Right to Object to Automated Decisions
 Accountability  Right to be Forgotten

BUSINESS OBLIGATIONS SERVICE PROVIDER AREAS

 Written records of processing
 Legal basis for processing  Contract requirements
 Cross-border transfer mechanisms  Policies and procedures
 Transparent notices  Written records of processing activities
 Freely given, specific, informed and unambiguous  Technology
Affirmative consent for children & withdrawal PROCESSOR  Third-party risk management and vendor
CONTROLLER accountability
mechanisms OBLIGATIONS  Information security
OBLIGATIONS  Privacy by design and by default
 Privacy Impact Assessments (PIA) & Data Protection
(OPERATIONS  Website activity
Impact Assessment (DPIA) AREAS)  Information governance/records retention
 Constraints and requirements for automated  Breach notifications
decisioning  Data Protection Impact Assessment (DPIA)
 Security obligations  Data transfer mechanisms
 Obligatory Data Protection Officer (DPO)  Data subject access requests Consumer rights
 Representatives assertion intake, verification, and fulfilment
 Documented accountability mechanisms

9 CCPA: 6 Month Countdown for Retailers

 Are you impacted by CCPA?

WHICH OF THE FOLLOWING APPLY TO YOUR ORGANIZATION?* IF YOU CHECK

MORE THAN ON BOX, THE ANSWER IS LIKELY YES.

 Do you collect personal identifiers?

 Do you engage in transfers of personal/device/household information to a 3rd party?
 Do you collect electronic network activity data?
 Do you collect data from website visitors?
 Do you determine the purposes and means of processing personal information (PI)?
 Do you have a for-profit ‘California business’ with at least one of the following criteria?
 Annual gross revenues exceeding $25 million;
 Annually buy, receive, sell, or share PI of 50,000 consumers, households or devices;
or,
 Derive 50% or more of your annual revenues from selling consumers’ PI.

* For California resident data, devices, or households.

10 CCPA: 6 Month Countdown for Retailers

 Preparing for compliance

0 1 2 3 4 5 6 7
• Understand • Assess, •Inventory • Categorize • Build • Implement • Finalize & • Implement
current and develop and map data consumer privacy-by- roll-out overall program
future strategy, personal self-service design self-service and expand into
• Evaluate
regulatory define in- information program practices model an enterprise
incentive
obligations scope privacy
• Evaluate plans for • Develop • Renegotiate • Roll-out
processes governance
current state sale of PI consumer vendor consumer
and data program
security response agreements response
• Security
• Third-party portfolio center ops center • Iterate, govern
roadmap
assessments, (as needed)
plans and improve
PIA’s, DPIA’s
(as needed)

11 CCPA: 6 Month Countdown for Retailers

Determining scope and extraterritorial considerations

IS IT WORTH BROAD DEFINITION

PURSUING THE GOLD OF PERSONAL DATA
STANDARD?

.
UNDERSTAND THE DATA MINIMIZATION
OVERLAP OF PRIVACY
REGULATIONS

12 CCPA: 6 Month Countdown for Retailers

CCPA (1798.140(o)(1)) definition of personal
information:
(1) “Information”: broad term that can include both subjective and objective statements and non-
sensitive information. CCPA provides a long list of examples that include geo-location data, online-
identifiers, and inferences drawn from other available information.
(2) “that identifies, relates to, describes, is capable of being associated with, or could reasonably be
linked”: this block is the key to understand the scope of the definition. The question is, what kind of nexus
should exist between the information and the “consumer or household” in order for the information to be
personal?
(3) “directly or indirectly”: stretches the concept ‘personal information’ beyond information that directly
identifies a ‘resident or household’ to include information that makes it ‘identifiable’
(4) “with a particular consumer or household”: ‘Consumer’ is defined in CCPA to mean a California
resident for tax purposes. It is not clear how the inclusion of the reference ‘household’ will expand the
definition of personal information.
De-identified data, aggregated consumer information and information made public by public
authorities that is being used for the purposes for which it was made public are excluded from the
definition of “personal information” under CCPA.

13 CCPA: 6 Month Countdown for Retailers

The impact of non-compliance

The lack of a holistic and fully

implemented privacy and security Continued Penalties could be $7,500 per
Financial intentional violation or $2,500
program may lead to repetitive Breach
Penalties
incidents that result in a series of Occurrence per unintentional violation.
breaches.

Consumers impacted by
a violation of CCPA may Negative coverage in the
lose trust and Loss of ORGANIZATIONS media may impact a
Reputational
confidence in the Consumer REQUIRED TO current or potential
Harm
organization’s ability to Trust COMPLY WITH patient’s impression of
safeguard personal the organization.
CCPA
information.

Lack of a fully
implemented privacy and
security program may Course Incidents and/or breaches of
result corrections action. Correction Legal personal information may result
Human and financial and Taking Proceedings in lawsuits and other legal
resources will be needed Action proceedings in addition to the
to correct existing actions of the CA AG.
issues.

Regulator – Office for Civil Rights (OCR)

14 CCPA: 6 Month Countdown for Retailers

Identifying personal information
 Understand key systems,
current policies and
procedures, and data
control issues
 Identify ordinary business
IMPLEMENT  INTERVIEW  operations and data
TECHNOLOGIES STAKEHOLDERS requirements
 Understand MDM
 Scan the network for PI
UPDATE 
DEVELOP LEVEL 0   Perform walk throughs at
CLASSIFICATION 
& RETENTION
(PROCESS) every stage of the data
lifecycle
 Interview key stakeholders
PERSONAL   Understand processes to
DEVELOP LEVEL 
2 (DATA FLOW)
DATA  document data flow
INVENTORY
 Prepare data life cycle
DEVELOP  maps, if necessary
LEVEL 1 
(PROCESS/ SUB 
 Create initial data catalogs
PROCESS) and preliminary data
sensitivity charts

15 CCPA: 6 Month Countdown for Retailers

Notices and service providers
NOTICES
Requires companies to inform consumers at or before
the point of collection about the categories of personal
information collected and the uses of the information.
Prohibits companies from collecting additional
categories of personal information or using collected
personal information in new ways without notice.
Requires businesses to disclose the following
information on the business’s website:
• A description of the consumer’s rights and methods
for submitting requests for information;
• A list of the categories of personal information
collected in the past twelve months;
• A list of the categories of personal information sold in
the past twelve months; and
• A list of the categories of personal information the
business has disclosed for a business purpose in the
past twelve months.
1798.100, 105, 115, 120, 125, 130, 135
16 CCPA: 6 Month Countdown for Retailers
SERVICE PROVIDERS
• For-profit legal entity that processes personal
information on behalf of a business pursuant to a
written contract for a business purpose.
• Businesses may use service providers and share
personal information with them.
• Not considered a sale of personal information under
the law if the sharing of personal information is
necessary to perform a business purpose, the business
has provided notice that the information is being
used or shared, and the service provider does not
further collect, sell or use the personal information
of the consumer except as necessary to perform the
business purpose.
Selling and sharing data

Selling, renting, releasing, disclosing, disseminating, making available,

transferring, or otherwise communicating orally, in writing, or by electronic or
other means, a consumer’s personal information to another business or a third
party for monetary or other valuable consideration.
(Cal. Civ. Code § 1798.140(t)(1))

17 CCPA: 6 Month Countdown for Retailers

Minimizing exposure post January 1st

Evaluate data
governance and
privacy maturity

Consider your
online presence Create a data
and related inventory
policies

Train your team

and develop a Integrate GDPR and
privacy awareness CCPA response and
program management
programs

18 CCPA: 6 Month Countdown for Retailers

Future-proof privacy program

ESTABLSH PRIVACY ADOPT PRIVACY BY TRANSPARENT DATA ESTABLISH END-TO-

PRINCIPLES DESIGN & DEFAULT USE END SECURITY
MINDSET

Adopt a
framework (GAPP,
Privacy Shield,
ISO, ISACA or
other) and
organize the
privacy program

ASSIGN ESTABLISH KNOW YOUR DATA MONITOR & CURE

ACCOUNTABILITY & STANDARDS, FLOWS & PROCESSING
OWNERSHIP PROCEDURES &
CONTROLS

19 CCPA: 6 Month Countdown for Retailers

Retailers should take the ethical approach

DATA ETHICS FRAMEWORK

Clearly define the Develop a transparent Use data Understand the

project and its program that holds proportionate to the limitations of the data
benefits the company project
accountable for use
of data

20 CCPA: 6 Month Countdown for Retailers

Managing the Risk of an Uncertain World –
Open Discussion and Q&A

21 CCPA: 6 Month Countdown for Retailers

Resources

22 CCPA: 6 Month Countdown for Retailers

 BDO Governance & Compliance resources
For more information on our practice, please visit our website on BDO.com:
https://www.bdo.com/services/business-financial-advisory/information-governance-privacy/
There you can additional practice information, a variety of our related thought leadership, other
insights, and more, including our new CCPA Resource Page!

23 CCPA: 6 Month Countdown for Retailers

Contacts

Karen Schuler Rebecca Shore- Rick Wilson Shannon K. Yavorsky

BDO USA, LLP Suslowitz Sherpa Software Venable LLP
Principal, National Under Armour VP, Strategy & Solutions Partner
Governance & Compliance Senior Counsel & Director, rwilson@ skyavorsky@
Practice Leader Global Privacy sherpasoftware.com venable.com
kschuler@bdo.com rshoresuslowitz@
underarmour.com

24 CCPA: 6 Month Countdown for Retailers