Advertising Law Tool Kit - Ninth Edition | 2021

Venable / 57 56 / Venable Privacy and Data Security These questions are critical for assessing your organization’s corporate privacy and security health. If you answer yes to any of the first eight questions or no to the last two, consider engaging experienced privacy and data security counsel to assist your organization in strengthening its policies. • Do you use information about customers for marketing or other purposes not related to the particular sale or transaction in which you collected the information? • Do you collect contact information from customers when they use their credit card to pay for purchases? • Do you ask visitors to your website to tell you their age? Do you market anything to children online? Do you knowingly collect personal information from children under the age of 13? • Do you retain credit card information? • Do you have a privacy policy on your website and app? If so, are you doing what you tell your customers you are doing with personal information about them? Is it accurate and complete, or has it become outdated? • Do you test your choice mechanisms, such as email opt-outs, regularly? • Do you conduct business with companies in the healthcare, financial services, video streaming, or telecommunications sectors? • Do you do what you tell your employees you will do with personal information about them? Do you tell your employees how you monitor them in the workplace? • Do you receive personal information (about customers, employees, vendors, or others) from Europe or other foreign jurisdictions? Do you “offshore” or otherwise transfer personal information to foreign jurisdictions? • Do you have an effective security program designed to safeguard personal information with adequate technical, administrative, and physical safeguards? Is it in writing? Do you conduct regular tests of your information security program? Do you then take steps to mitigate any vulnerabilities detected in such tests? • Do you have an effective mitigation plan for privacy or security breaches? With the California Consumer Privacy Act (CCPA) now effective and enforceable, with the California Consumer Protection Act (CPRA) having passed in the 2020 California election as a ballot initiative, and with other states considering similar legislation, it is critical that organizations take these initial steps toward compliance: • Assess your data collection and use practices. • Create or update your data map. • Conduct a gap analysis to identify whether your policies and practices meet the requirements of the CCPA, and begin to do the same for the CPRA, which takes effect on January 1, 2023, with an enforcement start date of July 1, 2023; but note that its new requirements will apply to personal information collected on or after January 1, 2022. • Develop a compliance road map based on gaps identified. • Review your privacy policy to meet the requirements of the CCPA. Create internal policies to document your compliance processes, including service provider agreements required under the CCPA. • Conduct employee training and raise awareness of the CCPA in your company. • Keep a close eye on ongoing rulemaking for the CCPA, the development of a new enforcement agency under the CPRA, and developments in Congress and in other states. Companies that engaged in the exercise of becoming ready to comply with the European Union’s General Data Protection Regulation (GDPR) have an advantage when it comes to CCPA compliance, but there is more work to be done. We are experienced with navigating clients through both regimes. D. Reed Freeman Jr. rfreeman@Venable.com +1 202.344.4606 Kelly DeMarchis Bastide kabastide@Venable.com +1 202.344.4722