Post US Election Privacy Updates & Implications

2. How to Manage Vendors and Third Parties to Minimize Privacy Risk 2 ● We will be starting a couple minutes after the hour ● This webinar will be recorded and the recording and slides sent out later today ● Please use the GoToWebinar control panel on the right hand side to submit any questions for the speakers

3. Speakers 3 K Royal Associate General Counsel Privacy Intelligence TrustArc San Francisco Ian C. Ballon Co-chair, Global Intellectual Property + Technology Practice Group, Greenberg Traurig, LLP, East Palo Alto Veronica Torres Chief Privacy Officer Comscore Washington, DC

4. Agenda 4 ● Privacy issues going into 2020 - or were election issues ● Implications of election outcomes on privacy laws or priorities ● What to watch for in 2021

6. Going into 2020 - Step Back in Time 6 ● California ○ CCPA - passed, going through amendments ○ CPRA - announced the proposal ● States ○ Proposed privacy laws ■ FL, HI, IL, MD, MS, NE, NH, NJ, VT, VA, WA ■ plus from 2019 NM, NY, PA, RI, TX ○ NY - Stop Hacks and Improve Electronic Data Security (SHIELD) Act ● In the News ○ Cambridge Analytica - documentary The Great Hack plus Facebook memo ○ Election tampering concerns, but mainly security ○ Facial recognition - Clearview AI ○ FTC enforcement against Facebook $5B penalty ○ FTC settlement with Equifax

7. Journey to California Privacy Rights Act 7 2017 CCPAballotinitiative 2018 CCPAlawJune AmendmentsSep,Oct 2019 Regulations forumsQ1 CPRA announced Amendments Regulationhearings 2020 CCPAeffective Regulations2&3draft CPRAqualified FinalRegs CCPA enforcementJul1 Amendments Moreproposedregs CPRApassed

8. Cybersecurity Class Action Litigation 8 ● Cybersecurity claims ○ Breach of contract (if there is a contract) or covenant of good faith and fair dealing (if the contract claim isn’t on point) or implied contract (if there is no express contract) ○ Breach of fiduciary duty, Negligence, Fraud, unfair competition ○ State cybersecurity statutes (especially those with statutory damages and attorneys’ fees) ○ California (and potentially Oregon) IoT Law, CCPA ● Securities fraud ○ In re Facebook, Inc. Securities Litigation, 405 F. Supp. 3d 809 (N.D. Cal. 2019) ● Data privacy claims ○ Federal - Electronic Communications Privacy Act, Computer Fraud and Abuse Act, Video Privacy Protection Act ○ State laws – IL / TX / WA Biometric, MI, CA ○ Breach of contract/ privacy policies – 2019 ■ In re Equifax, Inc., Customer Data Security Breach Litigation, 362 F. Supp. 3d 1295, 1331-32 (N.D. Ga. 2019) ■ Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1037-38 (N.D. Cal. 2019)

9. Privacy as a Conversation for Election Platforms 9 ● COVID-19 ● State legislatures stopped meeting ● EU congresses stopped meeting ● Privacy around remote work - Zoom ● Mass demonstrations / facial recognition

11. Impacts - Actual and Potential - US States 11 ● State Ballot Initiatives ○ California - Prop 24, California Privacy Rights Act ○ Recent amendments and rulemaking (October) ○ Massachusetts - wireless car data ○ Michigan - Prop 2, search warrant for electronic data and communication ● Other state privacy or security laws ○ Bills considered in 30 states for consumer privacy ■ CA - data brokers, exemption for deidentified medical data ■ MI - insurers providing privacy notices to customers ■ VA - scanning drivers’ licenses for ID verification ● Bills considered in 21 states (plus DC) to amend security breach laws ○ IL,ME, NY, SC, VT, WA, DC ○ VT significant - established CPO for state plus audit, student online privacy act

12. California Privacy Rights Act 12 ● Ballot initiative - https://www.caprivacy.org/ (effective 01.01.2023) ○ Definitions ■ Consent, contractor, share, sensitive personal information, and business definition amended regarding applicability within those sharing branding ○ Rights ■ Correction and limit use and disclosure of SPI (added definition of sensitive PI) ○ Third parties / Service Providers ■ Notice at collection, contractual obligations, requires levels or protection, cooperation on consumer requests, flowdown provisions ○ Security ■ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit of cybersecurity with submission to the Consumer Privacy Protection Agency ○ CA Consumer Privacy Agency ■ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit of cybersecurity with submission to the Consumer Privacy Protection Agency

13. CCPA - Litigation, will increase under CPRA 13 ● Update on CCPA suits filed ○ ~50 so far ○ Valid? Little specificity on CCPA, not waiting 30 days for cure, ignore limitation on using CCPA ○ Typically are joined with cybersecurity breach, unfair competition laws, or data privacy claims ● The Private Right of Action ○ Applies to data breaches and failure to implement reasonable measures, not other CCPA provisions ■ Specifically “whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices . . . .” ○ What is reasonable will be defined by case law ○ 30 day notice and right to cure as a precondition, that is amended under CPRA ○ $100 - $750 “per consumer per incident or actual damages, whichever is greater, injunctive or declaratory relief, and any other relief that a court deems proper.” ■ In assessing the amount of statutory damages, the court shall consider “any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth”

14. Future CPRA Litigation 14 ● The CCPA framework of providing for administrative enforcement but allowing a private cause of action for certain security breaches (with statutory damages) largely remains in effect + BUT the California Privacy Protection Agency is empowered to sue and courts may be involved in enforcement of administrative enforcement actions ● Administrative litigation before the California Privacy Protection Agency with judicial review (abuse of discretion standard) ● Litigation brought by the CPPA per new Civil Code § 1798.199.90 ● Litigation over CPPA subpoenas ● CPPA collection actions per new Civil Code § 1798.199.75 ● Section 3: "Businesses should be held accountable for violating the law through vigorous administrative and civil enforcement."

15. Future CPRA Litigation 15 ● New Civil Code § 1798.135(g) - no liability if a business communicates an opt-out request to a person (per subsection f) who fails to honor it (provided no actual knowledge or reason to believe) ● New Civil Code § 1798.140(h) - Consent does not include "acceptance of a general or broad terms of use" that describes "personal information processing along with other, unrelated information . . . ." ● New Civil Code § 1798.150 - implementation and maintenance of reasonable security procedures and practices does not amount to a cure ● Litigation between and among a business, service provider, contractor and other third parties ● Putative class action litigation ● Other claims (other than the CPRA)

17. Impacts - Actual and Potential 17 ● US Federal ○ US Federal Law - potential ■ Promising privacy laws increasingly gaining traction ■ Major factors - pre-emption and right to private action ○ US Enforcement Actions ■ Agencies ○ US Supreme Court appointment ■ Replaced liberal with conservative ■ Consider Carpenter v. United States 585 US ___ (2018) 5-4 decision ● New Administration ○ Biden / Harris transition team ● International ○ Negotiations with European Union - Schrems II ○ US Agencies may have changes in priorities and personnel ○ FISA s. 702 changes?

18. Thoughts - what can we look forward to? 18 ● Privacy and Digital Rights for All - A blueprint for the next administration - 10 points https://mkus3lurbh3lbztg254fzode-wpengine.netdna-ssl.com/wp-content/uploads/Privacy- And-Digital-Rights-For-All-A-blueprint-for-the-next-Administration.pdf ● Litigation - will we see more litigation on privacy and security? ● Enforcement - federal or state ● States - incorporating privacy into other sector laws ● California amending CPRA ● Companies leveraging privacy (adtech, identity verification, data discovery) ● The Privacy field ○ Lawyers - need to be savvier on privacy & law firms more active in building programs ○ Non-lawyers - learn privacy laws ○ Privacy falling under security professionals ○ Understand and use technology / awareness & knowledge / connections (networking) ● Companies looking for guidance - benchmarking metrics

20. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.

21. Upcoming Webinars 21 Past Webinars Building Consumer Trust through Data Subject Rights / DSAR Management October 14, 2020 @ 9:00 PST The Brazilian LGPD is Here: What You Need to Know Free Download How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requirements Free Download