California Privacy Law Series Enforcement And Preparedness

California Privacy Law SeriesEnforcement and PreparednessMay 3, 2022

SpeakersLothar DetermannPartner Palo Alto 1 650 856 5533lothar.determann@bakermckenzie.comHelena EngfeldtPartner San Francisco 1 415 984 3842helena.engfeldt@bakermckenzie.comTeresa MichaudPartner Los Angeles 1 310 201 4725teresa.michaud@bakermckenzie.comJonathan TamPartner San Francisco 1 415 984 3883jonathan.tam@bakermckenzie.com

HousekeepingToday's program is being recorded10 minutes Q&A at the endEvent is approved for 1 hour general credit in California. CLE code will be read midway through thepresentationInterested in next topics in our 2022 CA Privacy Law series? Employee equity compensation and privacy compliance on July 12 Getting Ready for 2023: CPRA, Colorado, Virginia, Utah and on September 13 Privacy in the M&A context on November 1

Agenda1California Attorney General Privacy Enforcement2Lessons from CCPA Enforcement Case Examples3Financial Incentive Programs4CMIA Enforcement5Class Actions6Preparedness7Q&A

1California Attorney GeneralPrivacy Law Enforcement

California Attorney General Privacy Enforcement Trends & Stats: targets, industries, B2B v. B2C CCPA and other California Privacy Laws Enforced California Attorney General Inquiries – Process: Complaints, investigations,letters, responses, meetings, document production, settlements Possible outcomes Binary Violations vs. Complex Arguments Topics in focus

2Lessons from CCPAEnforcement Case Examples

Lessons from CCPA Enforcement Case Examples Non-Compliant Privacy Notices and Policy Supplemental CCPA Privacy Policy Compare against requirements in the statute & regs Notice of Financial IncentiveNon-Compliance with "Do Not Sell" Requirements Option 1: Avoid selling Option 2: Consent for minors Prominent link Frictionless opt-out process Global privacy controls

Lessons from CCPA Enforcement Case Examples Non-Compliant Service Provider Contracts Compare against requirements in the statuteNo or Defective Request Methods At least two request methods Toll-free number Authorized agents Protocol on responding to requests

3Financial Incentive Programs

Financial Incentive Programs1. When do the obligations apply? CCPA vs CCPA regs“Financial incentive” means a program, benefit, or other offering, including payments toconsumers, related to the collection, deletion, or sale of personal information. 11 CCR §999.301.2. Investigative sweep on loyalty programs“data isn’t only collected when we go online. It's collected when we enter our phonenumber for a discount at the supermarket; when we use rewards for a free coffee at ourlocal coffee shop; and when we earn points to purchase items at our favorite clothingstore” Attorney General Bonta3. Have arguments and notice ready

Notices of Financial Incentive1. Material terms, available before opt in, and inform of opt-out2. Prior opt-in consent?a) opt-in vs consent vs opt-in consent3. Good faith estimate of value of data - dollar amount?a) “may be a financial incentive program”b) “we do not assign value to data”c) “X but estimate only and value assigned for purposes of this noticeonly”

4CMIA Enforcement

Confidentiality of Medical Information Privacy Act1. California AG activity beyond CCPA2. 2020 CMIA settlementa) authorizationi.prescribed formatb) safeguarding medical informationi.need to know access controlsii. vet vendors

5Privacy Breach Class Actions

Privacy Breach Class Actions CCPA – increase in cases filed, but not defendants private right of action to those whose personal information (subset of categories) is subject to anunauthorized access and exfiltration, theft, or disclosure as a result of a business's violation of theduty to implement and maintain reasonable security procedures. plaintiffs may recover actual damages sustained or not less than 100 and up to 750 perconsumer per incident, whichever is greater. vast majority of CCPA cases were settled or dismissedStanding under Article III of the U.S. Constitution, Ramirez v. Transunion, 141 S. Ct. 2190 (2021)

Expectations for Litigation Trends Novel theories of liability New theories of damages Purported violations of new privacy laws in California, Colorado, Virginia, mixed with commontheories of negligenceRansomware attack involving the Colonial Pipeline plaintiff alleges that consumers and gasstation owners were harmed by increased gas prices as a result of the company's negligenceNew shift in defense strategies Longevity for fact-intensive disputes Mass individual arbitration risks Data Misuse as opposed to breach Class Actions Tag-along actions to any government enforcement risks

6"Preparedness" Advice onCalifornia Privacy Law Risks

Top 10 Takeaways1.CCPA notices and policies fully updated under CCPA and CCPA regs2.Vendor Agreements3.Data subject rights process4.Avoid selling & sharing – or implement working “do not sell or share my info” link and mechanism5.Protective but not overly burdensome authentication process6.Have a toll free number7.Notice of Financial Incentive8.Arbitration Clauses9.Attorney Client Privilege in investigations10.Document compliance

Questions

Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a global law firm with member law firmsaround the world. In accordance with the common terminology used in professional service organizations, reference to a"partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means anoffice of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior resul tsdo not guarantee a similar outcome. 2022 Baker & McKenzie LLPbakermckenzie.com

Expectations for Litigation Trends Novel theories of liability Purported violations of new privacy laws in California, Colorado, Virginia, mixed with common theories of negligence New theories of damages Ransomware attack involving the Colonial Pipeline plaintiff alleges that consumers and gas station owners were harmed by increased gas prices as a result of the company's negligence