Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 19

CPRA, GDPR, Virginia CDPA, and NY Shield Act: Essential Things You Need to Know

1

Share

Download to read offline

With the rise of streaming TV, online commerce, messaging and contactless purchasing, there is more data out there. With pandemic economy dictating efficiency in spending, and third party cookies being phased out, publishers and brands are looking for the most efficient bang for their advertising buck. This data and how is it used is increasingly regulated both in the EU under GDPR and in the US under CCPA and the upcoming laws CPRA and Virginia CDPA. In this interactive webinar, Odia Kagan will discuss the unique issues around ad tech and personal data collection and will explain what publishers, and adtech providers need to think about when faced with compliance under these laws and what steps should they take now.
The webinar will cover:
• Advertising personalization data is personal data and personal information under CCPA and GDPR.
• Key requirements under CCPA, CPRA, GDPR
• Do not share my personal information?
• How do you disclose your practices transparently?
• Where does TCF factor in?
• Use and sharing is consent-based – but how does that work in real life?

Recorded webinar: https://youtu.be/GeIGqkLWcRk

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

CPRA, GDPR, Virginia CDPA, and NY Shield Act: Essential Things You Need to Know

  1. 1. Agenda • California: CCPA/CPRA • Virginia: CDPA • New York: NY Shield • EU/US: GDPR Extraterritorial + Cross Border • US: What does the future hold? • Q & A
  2. 2. Key Issues in CCPA/CPRA
  3. 3. • First comprehensive privacy law • Signed into law on June 28, 2018. • Went into effect January 1, 2020. • Enforceable since July 1, 2020 • Enforcement already started, lawsuits filed CCPA in a Nutshell
  4. 4. • Personal Information – very broad (even inferences). • Detailed privacy disclosure(s) • What’s in a sale? • Yes, cookies too • Financial incentive? Key Issues in CCPA
  5. 5. • Data minimization + Purpose limitation • Retention limitation • Limitation on “sharing” (targeted advertising focus) • Global opt out?? • Profiling and automated decision making • DPIA • Detailed obligations for service provider agreements Key Issues in CPRA
  6. 6. Key Issues in VA CDPA
  7. 7. Key Issues in VA CPDA • Opt-in for sensitive information • Reasonable administrative, technical and physical security • Broad Data Protection Assessment requirements • Process for de-identified information • Detailed obligations for service provider agreements • Obligations for data processors • Children’s compliance - COPPA
  8. 8. Key Issues in NY Shield / NYDFS
  9. 9. • Effective: 10/19 (breach) 3/2020 (infosec) • Holding personal information of NY residents • Broad definition (CC number, biometrics) • Detailed information security req’s • Breach notification Key Issues in NY Shield Act
  10. 10. • 4 phases 2/18 – 3/19 • Comprehensive cybersecurity program (governance, incident response, internal policies, reporting, third party providers). • First enforcement – Summer 2020 Key Issues in NYDFS Cybersecurity Regs
  11. 11. GDPR Extraterritorial
  12. 12. • Soriano - Offering / targeting must be “related to” • EDPB 2021-2023 Action plan – More enforcement on Non-EU controllers • New SCC’s – Do they apply to Art. 3(2) entities? Extraterritorial Application of GDPR
  13. 13. SchremsII and its Aftermath
  14. 14. • Court decision: Privacy Shield is dead; SCC’s need life support. • EDPB Guidelines: o No risk based approach o No US cloud providers? o What about intercompany transfers? • New SCC’s • What to do? SchremsII and Aftermath
  15. 15. What does the future hold?
  16. 16. US: State laws • Washington state – bill making progress • GDPR concepts • (almost) No private right of action • New York • Several bills • Fiduciary obligations • Private right of action + regulations • Texas? • Colorado?
  17. 17. US: Federal • Increased privacy / cybersecurity focus? • More FTC enforcement? • Federal law? • EU US Privacy Shield? /Surveillance laws
  18. 18. THANK YOU ? OKagan@foxrothschild.com Odia Kagan

Editor's Notes

  • If you have a process for this under GDPR – is it sufficient?
  • If you have a process for this under GDPR – is it sufficient?
  • If you have a process for this under GDPR – is it sufficient?
  • Administrative Safeguards
    Designate individual(s) responsible for security programs;
    Conduct a risk assessment process one that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
    Train and manage employees in security program practices and procedures;
    Select capable service providers and require safeguards by contract; and
    Adjust program(s) in light of business changes or new circumstances.
    Physical Safeguards
    Assess risks of information storage and disposal;
    Detect, prevent, and respond to intrusions;
    Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
    Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.
    Technical Safeguards
    Assess risks in network and software design;
    Assess risks in information processing, transmission, and storage;
    Detect, prevent, and respond to attacks or system failures; and
    Regularly test and monitor the effectiveness of key controls, systems, and procedures.
  • 23 NYCRR 500
  • ×