CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions

2. 2 ● We will be starting a couple minutes after the hour ● This webinar will be recorded and the recording and slides sent out later today ● Please use the GoToWebinar control panel on the right hand side to submit any questions for the speakers Thank you for joining the webinar “CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions”

3. 3 Speakers K Royal, FIP, CIPP/US / E, CIPM, CDPSE Associate General Counsel - Privacy Intelligence TrustArc Beth Sipula, FIP, CIPM, CIPP/US Director, Consulting TrustArc

4. 4 CCPA Overview and Main Components Journey Stages of CCPA Program Management Maturity TrustArc CCPA Solutions for Every Stage of Compliance Today’s Goals

5. 5 CCPA Overview 5 California Consumer Privacy Act ● Passed in June 2018 and revised later in September ○ then revised in October 2019 ● Broadest privacy law in the U.S. ● Impacts any business with data on California consumers, households, or devices ● Regulations submitted to Office of Administrative Law ● Meanwhile, California Privacy Rights Act is on the November ballot Top Provisions of the CCPA ● Expanded scope: people and data ● Transparency and notice ● Individual rights and “Do not sell my personal data” ● Private right of action

6. 6 California Privacy Rights Act - CPRA 6 ● Ballot initiative - https://www.caprivacy.org/ ● Definitions ○ Consent, contractor, share, sensitive personal information, and business definition amended regarding applicability within those sharing branding ● Rights ○ Correction and limit use and disclosure of SPI ● Third parties / service providers ○ Notice at collection, contractual obligations, requires levels or protection, cooperation on consumer requests, flowdown provisions ● Security ○ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit of cybersecurity with submission to the Consumer Privacy Protection Agency

7. 7 Transparency Individual Rights Third Party Management Risk Management (including security) Main Components of CCPA

8. 8 Notice and data processing activities - online and in person, internal and external ● A business that collects a consumer’s personal information shall, ○ at or before the point of collection, ○ inform consumers as to the ■ the categories of personal information to be collected and ■ the purposes for which the categories of personal information shall be used. ● A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section. Additional Elements ● Be informed of rights ● Reasonably accessible ● Clear and conspicuous link (do not sell) Transparency - Overview

9. 9 Know the requirements Follow the requirements Update and Review Develop Process: Identify elements - online and offline, Provide notice, Quality checks, Update as needed, Review regularly Data inventory and practices Know Your Data Internal and External Notice https://www.w3.org/WAI/standards-guidelines/wcag/ Transparency - Compliance

10. 10 Individual Rights - Overview Right to Know / Request Access Right to Non-discrimination Right to Opt OutRight to Delete Plus, portability (easily accessible format) and notice. CPRA adds right to correction.

11. 11 Know Your Data ResponseIntake Develop Process: Intake, Internal Routing, Response (substance and form)Data inventory Individual Rights - Compliance

12. 12 Third Party Management - Overview Service Provider definition ○ processes information on behalf of a business ○ to which the business discloses a consumer’s PI ○ for a business purpose ○ pursuant to a written contract ○ provided that the contract prohibits: ■ retaining, using, or disclosing the PI for any purpose, including commercial purposes, other than for the specific purpose of performing the services specified in the contract for the business Third party definition – anyone who is NOT ○ Under contract with restrictions on ■ Selling the PI ■ retaining, using, or disclosing the PI for any purpose, including commercial purposes, other than for the specific purpose of performing the services specified in the contract for the business ■ Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business ○ Includes a certification of understanding the restrictions and will comply

13. 13 Third Party Management - Compliance Identify Identify the third parties that interact with personal information, at some point along the information lifecycle Assess Assess risks associated with the third party, classify based on risk, identify mitigations in place Address Address actions needed by priority, assign responsibility, mitigate

14. 14 Risk Management - Overview Notice / Awareness Processes & Controls Third PartiesPersonal Information Identify risks, Analyze risks, Evaluate / prioritize risks, Mitigate risks, Monitor effectiveness of controls, Review & Reassess

15. 15 Platform Capabilities PRIVACY OUTCOMES Regulatory Insights and Monitoring Privacy Program Insights Risk Management Benchmarks and Planning Consent Management Privacy Rights Management Breach Response Audit and Assurance Compliance Monitoring Awareness Task Management and Action Plans Reporting DataCapture Applications External API’s KNOWLEDGE BASE Data Inventory Hub My Company Info Tracker Scans Intelligence System(IoP) Libraries TrustArc Privacy and Data Governance Accountability Framework Law and Regulatory Standards Repository INTELLIGENCE ENGINES Risk Management - Compliance TrustArc Data Privacy Management Platform Deep Intelligence + Complete Automation

17. 17 Privacy Management Journey Predict and Prioritize • Privacy roles and team built • Management reviews formalized (int/ext) • Cross-functional process and automation in place • Real-time monitoring in place Managed Semi-Automated • Functional team identified • Procedures and processes implemented • Business communicates processes internally Defined Document Sharing • Some policies centrally managed in silos • Some procedures and processes • Leadership awareness but resources are limited Repeatable Usage & Expertise IncreaseEfficiency&Effectiveness Spreadsheets and Decentralized • Decentralized • Informal, inconsistent procedures and processes • Reactive • Leadership awareness limited Ad Hoc Continuous Improvement • Leadership engaged on privacy team outcomes • Continuous monitoring & risk assessments • Risk-aware enterprise and embedded controls • Remedial actions taken to ensure compliance Optimized Based on AICPA/CICA Privacy Maturity Model

18. 18 Poll Question 18 Where are you in your CCPA privacy management journey? ● Ad Hoc ● Repeatable ● Defined ● Managed ● Optimized

19. 19 Privacy Management Journey Predict and Prioritize Managed Semi-Automated Deﬁned Document Sharing Repeatable Spreadsheets and Decentralized Ad Hoc Continuous Improvement Optimized Individual Rights Request Vendor Termination Client Request Potential Incident

20. 20 Privacy Management Journey: Ad Hoc Spreadsheets and Decentralized • Decentralized • Informal, inconsistent procedures and processes • Reactive • Leadership awareness limited Ad Hoc *Based on AICPA/CICA Privacy Maturity Model Knowledge: Understand the internal and external environment and what data, jurisdictions, standards/rules, business activities apply and how. Begin to educate leaders and prioritize efforts. Main Goal Vendors, current practices, data, leader knowledge, priorities. Focus Area Document third parties and systems, conduct third party and company risk assessments, determine which requirements apply, assess preparedness, create policy and standard library, prioritize and track remediation activities. TrustArc

21. 21 Privacy Profile

22. 22 Operational Templates

23. 23 Privacy Management Journey: Repeatable Document Sharing • Some policies centrally managed in silos • Some procedures and processes • Leadership awareness but resources are limited Repeatable *Based on AICPA/CICA Privacy Maturity Model Build Components: Identify functions critical in a privacy program, begin to address gaps, enhance knowledge across select functions within organization. Main Goal Organizational data and internal policies, individual rights, consent and transparency, transborder data flow. Focus Area Data Inventory and DPIA assistance, outsourced Privacy Office, Enterprise Certification, APEC Privacy Recognition for Processors. TrustArc

24. 24 Risk Profile

25. 25 Program Maturity and Trends

26. 26 Privacy Management Journey: Defined Semi-Automated • Functional team identiﬁed • Procedures and processes implemented • Business communicates processes internally Deﬁned *Based on AICPA/CICA Privacy Maturity Model Operational Efficiency: Continue to address compliance issues and formalize the privacy program; identify opportunities to increase efficiency and scalability through automation. Establish a privacy culture and communicate externally. Main Goal Continue to close high priority gaps: DPIAs/PIAs, individual rights, transparency, third party management, incident response and breach, transborder data flow issues. Focus Area Document business processes, conduct DPIAs/PIAs, review third parties, review risks and track activities, manage individual rights. TrustArc

27. 27 Data Inventory Hub

28. 28 Data Flow

29. 29 Privacy Management Journey: Managed Predict and Prioritize • Privacy roles and team built • Management reviews formalized (int/ext) • Cross-functional process and automation in place • Real-time monitoring in place Managed *Based on AICPA/CICA Privacy Maturity Model Consistency and wisdom. Run an effective and efficient privacy program; implement internal and external management/operational reviews. Main Goal Consistently manage processes to review and refresh program data; gather and make decisions based on program data. Focus Area Run automated assessments and refresh activities on a regular basis, review program metrics/report/adjust privacy program plan; Establish oversight, monitoring, and executive/board reporting supported by technology. TrustArc

30. 30 Privacy Profile Demonstrate privacy compliance and accountability to customers, partners, and the public through participation in a TRUSTe Assurance Program Determine which Assurance Programs will mitigate your international data transfer risks Prepare to demonstrate compliance and accountability with Your Policy and Standards Library and Operational Templates Monitor and audit privacy compliance and accountability with Attestor

31. 31 Privacy Management Journey: Optimized Continuous Improvement • Leadership engaged on privacy team outcomes • Continuous monitoring & risk assessments • Risk-aware enterprise and embedded controls • Remedial actions taken to ensure compliance Optimized *Based on AICPA/CICA Privacy Maturity Model Continuous Improvement: Review progress internally and compare with peers. Main Goal Regularly review and refine all privacy program component risks, goals, and activities. Compare results with other organizations, new expectations in the law or marketplace. Report and adjust. Focus Area Leverage results of technology-supported monitoring, benchmark against others, and make adjustments. TrustArc

32. 32 The tech works for you...

34. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.