The URL can be used to link to this page

SR 09-24-2019 13F 13.F September 24, 2019 Council Meeting: September 24, 2019 Santa Monica, California 1 of 1 CITY CLERK’S OFFICE - MEMORANDUM To: Mayor and City Council From: Denise Anderson-Warren, City Clerk, Records & Elections Services Department Date: September 24, 2019 13.F Request of Councilmember McKeown that, in light of the new complexities revealed in the recently adopted City of Santa Monica Privacy and Security Statement, and the pending imposition on certain businesses of the California Consumer Privacy Act, Council direct staff to schedule a study session on City privacy policies and protections to hear public concerns and gather Council direction on appropriate standards for City data collection and usage. 9/19/19, 10'15 AMCity of Santa Monica - City of Santa Monicaʼs Privacy and Security Statement Introduction Page 1 of 5https://www.smgov.net/privacy/ City of Santa Monica City Hall Explore Santa Monica Living Here Doing Business Getting Informed City of Santa Monica’s Privacy and Security Statement Introduction The City of Santa Monica collects personal information from the public to assist us in providing many important services, including but not limited to recreation programs, recycling and waste management, street and landscaping services, permitting, and water delivery. We understand the value of personal information and strive to find a fair balance between gathering information that will assist us in better providing these services and protecting the public’s privacy. This privacy statement explains how and why information is collected from the public, whether in person, over the phone, through social media or a visit to the City’s website, or by mail (electronic or otherwise), and how that information is retained and used by the City. This privacy statement does not apply to information collected by the City for public safety purposes. Due to the individualized and serious nature of emergency response efforts, a variety of personal information may be collected by first responders and other personnel as needed. Such data collection, use, and disclosure practices are subject to separate policies and fall outside the scope of this privacy statement. Collection The City collects different kinds of information from the public to assist in conducting City operations. Some of this information you provide directly to us. Some of it is collected in the course of your interactions with the City. Our goal is to collect information only as reasonably needed to perform City services and provide informed customer care, and to let you know when providing personal information is optional. We also seek to aggregate or otherwise de-identify personal data, when possible, whenever it is not necessary to store or share personally identifiable data elements. Below are some examples of the types of information we collect and how we collect it. Website Information The City collects a range of information about visitors to the City’s website. During your visit to the City’s website, you may choose to provide personal information online, for example, by electing to send us an email, complete an online form, or participate in a survey. “Personal information” is information about you that is readily identifiable to you. Personal information includes such things as your name, birthdate, address, phone number, social security number, and driver’s license number. Personal information also includes financial and/or payment card information, for example, bank account information, credit or debit card numbers, or other billing information, that you may provide to sign up or pay for City services. We collect no personal information about visitors to our website unless you voluntarily provide it by sending an email, participating in a survey, completing an online form, or engaging in an online transaction. You may choose not to send an email, participate in a survey, provide personal information using an online form, or engage in an electronic transaction. But you may not be able to access certain user-specific features of the web site without providing personal information. Information collected from all visitors to our website Even if you do nothing during your visit to our website but browse, read pages, or download information, certain information will be collected, aggregated and used for analytical and statistical purposes to help better manage the site. When you visit a page on the site, information may be automatically collected and stored through the use of cookies and other similar tracking technologies. Examples of the information that may be collected and stored are: 1. The internet domain (for example, "xcompany.com" if you use a private Internet access account, or "yourschool.edu" if you connect from a university's domain) and Internet Protocol (IP) address from which you access the City'swebsite; 2. The type of browser and operating system used to access the City'swebsite; 3. The date, time and duration of the visit, as well as the general geographic location of the device from which the visit ismade; 4. Derived demographicinformation; 5. The web pages and/or services you accessed during your visit, as well asany applications used and forms data;and, 6. If you link to the City's website from another website, the address of that other website. We may use this data automatically collected through cookies and other technologies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the site; (b) provide custom, personalized content; (c) provide and monitor the effectiveness of our website; (d) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website; (e) diagnose or fix technology problems; and (f) otherwise plan for and enhance our website and the services we provide. For example, the City's web site uses software programs to create summary statistics, which are used for such purposes as assessing what information is of most and least interest, determining technical design specifications, and identifying system performance or problem areas. We may also use analytic and security tools hosted by third parties or managed within the City as part of maintaining our web presence. These tools help us measure traffic and usage trends for our web site and help ensure that this service remains available to all users. These tools can also be used to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Except for authorized law enforcement investigations and the security purposes mentioned elsewhere in this notice, no other attempts are made to identify individual users or their usage habits. The City does not generally use cookies or other tracking technology to track its users across websites or over time, nor does it permit third-party ad networks or other companies to track users on our website. Because we do not track users over time and across websites, your use of the Do Not Track feature on your browser will have no effect on our website. As noted above, we may employ cookies to control the operation of our website. Cookies are pieces of information generated by our web server and stored (temporarily) on the end user’s computer to facilitate the current website visit. In the event a cookie is used, its use will be transient in nature and will apply only to the website visit in progress. Generally, if you choose to, you may disable cookies through your browser settings. (For example, in Google Chrome, under settings, privacy and security, content settings, you can elect not to allow sites to save and read cookie data and/or block third-party cookies, and you can also choose to see all cookies.) Disabling cookies, however, may mean that you are unable to use certain features of our website Information collected from website visitors who choose to provide personal information online. Text Size: Search... 9/19/19, 10'15 AMCity of Santa Monica - City of Santa Monicaʼs Privacy and Security Statement Introduction Page 2 of 5https://www.smgov.net/privacy/ If during your visit to our website you participate in a survey, send an e-mail, participate in a City hosted web-based discussion, register an account, participate in online commerce, or perform some other transaction online, we may collect personal information from you, including: the e-mail address, and contents of the e-mail, for those who communicate with us viae-mail; information provided while participating in a City hosted web-based discussion; (c) information volunteered in response to a survey; (d) information provided through an online form for any other purpose; (e) information submitted when participating in an online transaction with the City; and (f) information provided when you register an account. The information collected is not limited to text characters and may include location, audio, video, and graphic information formats you sendus. In order to provide online transaction capabilities, the name, address and payment information (if applicable) that you provide when using this website may be collected and processed to complete an online transaction and for record-keeping for such activities as billing, permits, licenses and other business-related purposes. Every effort is made to protect any sensitive personal information you provide online. For online payment transactions, we use a third-party payment processor that has in place industry-standard data security protocols to ensure that the payment transactions will be conducted securely. If City personnel take payment information, it is used only for the transaction at hand and is not kept, stored, or used for any other purpose. The City does not store credit card information on any of its servers and will not disclose credit card information to any third-party except as necessary to complete your online transaction or as required by law. Information collected from your mobile device. If you access our website and online services or use an application on a mobile device, we may collect certain information about that device. Messages sent from certain mobile devices contain unique identifiers about the physical location of such devices. Mobile devices also typically transmit caller ID data when used to transmit a telephone call or text message. Depending on the device and its settings, this information includes but is not limited to geolocation data, unique device identifiers and other information about your type of device, wireless provider, date and time of transaction, browser type, browser language and other transactional information. We may use this information to contact you and to respond to requests. With the exception of certain public safety emergency notifications, we will not use your phone number to initiate a call or SMS text message to you without your express prior consent. The City of Santa Monica may periodically offer non-emergency SMS alerts. These alerts will only be sent to those who have subscribed to them, and subscribers will be provided with the option to cancel their subscription. By signing up to receive those alerts, subscribers acknowledge that SMS message charges may apply depending on their individual mobile carrier and plan. Your wireless carrier and other service providers also collect data about your SMS Service usage, and their practices are governed by their own privacy policies. Paper forms City departments may collect information on paper forms as part of providing a government service or community engagement. These forms may request personal information, such as name, birthdate, address, telephone number, and email address. Forms may also request additional information necessary to determine eligibility for a service, such as income. When possible, forms will note what information is required to obtain a government service or participate in a government function, what information is optional, and if there are options for opting out of certain data uses, such as follow-up communications not directly related to the service being requested. City personnel will handle and store paper forms containing personal information using methods intended to ensure the security of the personal information. Telephone calls Individuals may contact the City via phone such as when calling a City department or staff member directly. Our phone system automatically logs the phone number and other characteristics of calls to and from City numbers, such as call duration and the extension in the City that received or made a call. It is not possible to opt-out of this collection. During the course of your call to a City call center, we may ask for additional information. This information will be used to help provide the requested service. The call taker will inform you about what information may be optionally provided. We will also provide notice if, and when a call center records a call for training purposes or to improve the services. We may also collect personal information when we call you or notify you of an event via phone or text message, including by creating a recordof when a call was made and whether it was received by a live person. With the exception of certain public safety emergency notifications, we will not use your phone number to initiate a call to you without your express priorconsent. Email communications When you send an email to a City email address, such as hello@santamonica.gov, we collect personal information that may be contained in the email message and automatically log certain information about the message, including the sender information, the IP address, routing information, and email address. It is not possible to opt-out of this collection. In some cases, when the City sends an email to a user, it may contain beacons, which help the City track which emails have been opened and which links are clicked by our recipients. Opting-Out While it may limit the services we are able provide or limit the services you are able to access online, where it is possible we will present information about what we are collecting and provide an opportunity to decline to provide it to us and/or to opt-out of uses we may take with the information, such as using your email address to send follow-up communications not directly related to the service being requested. Please understand that in some circumstances, we may not be able to provide the desired services if you decline to provide necessary information. Using your information We recognize that the public expects government both to protect individual privacy and to operate effectively. Toward that end, the City of Santa Monica uses personal information in the course of providing services, protecting the public’s safety, meeting our mission obligations, and determining the best use of our resources. We endeavor to collect only as much information as is necessary to perform these functions and to limit information use to the purpose stated at the time of collection and to protect and improve our services. Here are examples of the use we make of information we collect. Research and Audit 9/19/19, 10'15 AMCity of Santa Monica - City of Santa Monicaʼs Privacy and Security Statement Introduction Page 3 of 5https://www.smgov.net/privacy/ We may use information we collect to help the City better understand community needs and improve the efficiency, effectiveness, and equity of our service delivery. When performing research, attempts will be made to de-identify data, either performing analysis at an aggregate level or removing data elements containing personal information that are not necessary for analysis. We may also use collected information to ensure that our online website services remain available to all users, to detect fraudulent transactions, and to identify unauthorized attempts to upload or change information or to otherwise interfere with service delivery. Informational Communications Should you provide the City of Santa Monica with personal information by sending an e-mail, filling out and submitting an online form, or registering an account, the information provided may be used to respond to you and to assist in providing you with the information or service requested. Survey information is used for the purpose identified by the survey. Information from online forms and account registrations is used for conducting City business related to the online form or account registration. In addition to the uses described above, personal information you provide may be used to place you on email lists used to generate emails to you to inform you about City initiatives, programs, and events that may be of interest to you. Any email you receive as a result of being placed on such a list will provide you with the option to opt out of receiving future emails from that list. Personal information you provide may also be used to invite you to subscribe to email or e- newsletter services that may be of interest to you. The City offers several email and e-newsletter services to inform users about City initiatives, programs, and events. These are all “opt-in” email and e-newsletter services, meaning that users must indicate their interest by choosing to subscribe to the email or e- newsletter service and providing their email addresses. If you choose to subscribe to a City email or e-newsletter service, you will always have the option of canceling your subscription or changing your preferences – this option will be included at the bottom of each email or e-newsletter you receive. Any online form, account registration, or survey response you submit will include at the bottom an option to opt-out of receiving any invitations to subscribe to email or e-newsletterservices. Sharing your information We do not sell personal information to third parties, nor do we profit from sharing personal information with third parties. We may share personal information to coordinate delivery of services to the public, improve customer service, maintain data consistency, assess program performance, and identify opportunities to improve our operations. We may also share information where we are required to do so by law. We may also share information that has been aggregated or de-identified. How we do and do not share personal information is described below. Internal sharing within the City We share personal information within the City to enable different City departments to use that information to assist in providing the services for which they are responsible, to assess their performance, to improve their customer service, and to identify opportunities to improve their operations. Sharing with third-parties We share personal information with third parties who provide services on behalf of the City when that personal information is necessary for them to provide the services. For example, the City may share personal information with a consultant who is doing research on behalf of the City that requires the use of personal information to provide meaningful results. The City also contracts with third parties to handle data containing personal information. For example, the City contracts with third parties to process financial transactions, technology companies that provide cloud and managed services, and analytics companies that measure traffic visiting the City’s websites. In doing so we comply with state and federal laws and follow information security practices to protect both physically and electronically stored and transmitted data. We do not sell personal information to third parties for marketing purposes or for their own commercial use. The City also does not sell aggregated, anonymized data to third parties for marketing purposes or for their own commercial use. Certain of the third parties with whom the City contracts may, however, market aggregated, anonymized data derived in whole or in part from City data. Sharing with government agencies We may share information with other government agencies, external service providers, researchers, contracted vendors, and others to perform city functions and comply with applicable laws. We ask third parties to abide by our privacy principles when handling data provided by the City. In many cases, we require compliance through contractual obligations that include: (a) providing notice when information is collected and used on our behalf by contracted third parties; and (b) directing that contracted third parties agree to and follow our contractual privacy requirements. Public record disclosures You should be aware that information that you provide to the City of Santa Monica, whether through the City’s website, emails sent to the City, or any other methods, may be considered public records pursuant to the California Public Records Act, Government Code §§ 6250 et seq. (PRA). As a government agency, we are subject to this law, and any information received through the City’s website is subject to the same provisions as information provided on paper. As a result, under some circumstances, some of the personal information you provide, including your email address, may not be considered private and may be subject to disclosure under the PRA. For a more complete discussion of the PRA, please refer to the California Attorney General’s summary of the PRA and/or the California League of Cities guide to the PRA, which can be found at the following links: https://oag.ca.gov/sites/all/files/agweb/pdfs/publications/summary_public_records_act.pdf Retention Public records created or received by the City must be retained for legal or operational purposes according to applicable laws. As a government entity, much of the information that the City collects is considered a public record regardless of format or where it is stored. The City maintains a records retention schedule indicating the standard time periods for retention of identified categories of records. A copy of the City’s current records retention schedule is maintained by the City Clerk. Accuracy 9/19/19, 10'15 AMCity of Santa Monica - City of Santa Monicaʼs Privacy and Security Statement Introduction Page 4 of 5https://www.smgov.net/privacy/ We take reasonable steps to ensure that personal information we have is up-to-date. Where possible, we implement processes for updating inaccurate information that is used in the course of doing business. Accountability We comply with laws, statutes and regulations that govern the information we collect. We also seek to follow best practices and implement internal policies to reduce or eliminate the potential impact of new technologies and practices on the public’s privacy. Should we become aware of programs or applications that are contrary to this privacy statement we will take steps to educate staff and remediate the issue.. Endorsements and Links Content on the City of Santa Monica’s website is intended to provide information about City services and City events, keep residents and visitors informed about matters of interest, and help the City fulfill service requests. Any inclusion of third-party hyperlinks, images, applications, or references on the site does not constitute an endorsement or recommendation by the City of Santa Monica. Their inclusion is simply to provide website visitors with relevant information and resources. The City of Santa Monica’s website has many links to other websites. These include links to websites operated by other government agencies, nonprofit organizations, and privatebusinesses. When you use a link to access another website, you are no longer on the City of Santa Monica’s website and the City of Santa Monica’s privacy and security policy will not apply. When you use a link to access another website, you will be subject to, and we encourage you to examine, the privacy and security policy of that newsite. Children A number of pages on the City of Santa Monica’s website provide information about youth services and programs. And, in signing children up for youth services or programs, parents may be asked to provide personal information for their children. This personal information will be subject to the same protections and limitations on use and sharing specified in this privacy policy. Security For site security purposes and to ensure that this website and the services offered through it remain available to all users, the City of Santa Monica employs commercial software designedto monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Unauthorized attempts to upload information or change information on this website or any of the services offered through it are strictly prohibited and may be punishable bylaw. The City has taken steps to safeguard the integrity of its data and to prevent unauthorized access to information it maintains. Depending on the type of information, we may use physical, administrative and technological techniques to protect data including but not limited to access control, monitoring, auditing, and encryption to secure data. Security measures have been integrated into the design, implementation and day-to-day practices of the entire operating environment as part of the City’s continuing commitment to protecting our environment. This information should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided via the City's web site. Please remember that no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event that any information under our control is compromised as a result of a breach of security, the City will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations. Intellectual Property Some content on the City’s website, including the City logo, the Santa Monica City Pier logo, and other graphics and images, are copyrighted either by the City of Santa Monica or by a third- party provider. Any third-party images, graphics, or content on our website is used with permission from the copyright holder. Before reproducing or otherwise using any content from our website, including images and graphics, users must obtain permission from the appropriate copyright holder. If you wish to use any content from our site as to which the City of Santa Monica holds the copyright, or to inquire as to who the copyright holder for certain content is, please submit an inquiry to hello@santamonica.gov (be sure to specify the page on which the content appears, and the specific content on that page to which your inquiry pertains). The City’s website also uses the City of Santa Monica Seal. Santa Monica Municipal Code § 2.32.020 prohibits use of the City Seal for anything but official City business. Disclaimer The City of Santa Monica is neither responsible nor liable for any viruses or other contamination of your system nor for any delays, inaccuracies, errors or omissions arising out of your use of the City’s website or out of material obtained from this website, including without limitation, any material sent to you via the City’s website. The information and materials on our website have been compiled from a variety of sources and are subject to change without notice. The City of Santa Monica does not make any warranties or representations with respect to the content, quality, accuracy, or completeness of any information or materials contained on our website or through links to other websites, including but not limited to: 9/19/19, 10'15 AMCity of Santa Monica - City of Santa Monicaʼs Privacy and Security Statement Introduction Page 5 of 5https://www.smgov.net/privacy/ text, graphics, applications, databases, services, or any other information or materials. The City’s website and all materials distributed on it are distributed and transmitted "as is" without warranties of any kind, either express or implied, including without limitation, warranties of title or implied warranties of merchantability or fitness for a particularpurpose. The City of Santa Monica is not responsible for any special, indirect, incidental, or consequential damages that may arise from the use, completion, or accuracy of financial transactions conducted on, or the inability to use, our website and/or the materials distributed by our website, whether the materials distributed by our website are provided by the City of Santa Monica or a third party. Communications to the City of Santa Monica via the City’s website shall in no way be deemed to constitute legal or official notice to the City, its agencies, officers, employees, representatives or agents with respect to any existing, pending or future claim or cause of action against the City or any of its agencies, officers, employees, representatives or agents where notice is required by Federal, State or local law. Nor shall communications to the City via the City’s website be deemed to constitute legal or official notice for any other purpose. Contact If you have any questions regarding the City of Santa Monica’s privacy statement or data security, or if you have any comments, suggestions, or corrections regarding the information contained on the website, please contact us at: hello@santamonica.gov. City of Santa Monica © 2019 1685 Main St., Santa Monica, CA 90401 Disclaimer | Privacy Policy | Accessibility Policy | Contact Us 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 1 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 1,701 views |May 14, 2019, 08:00am POST WRITTEN BY Daniel Garrie Esq. Founder and managing partner at Law & Forensics. The Wider Implications Of The California Consumer Privacy Act Innovation Daniel B. Garrie Esq. Forbes Councils Member Forbes Technology Council COUNCIL POST | Paid Program 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 2 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 Without a federal standard for digital privacy legislation, states are left to their own devices in enacting internet and data privacy laws. The result is a cacophonous patchwork of state legislation, leaving businesses scratching their heads and lawyers haphazardly navigating layers of red tape. Enter California’s most recent digital privacy initiative: the California Consumer Privacy Act of 2018 (CCPA). CCPA affects those businesses buying, selling or otherwise in the trade of the “personal information” of California residents -- all 39.54 million of them. In 2019, personal information is the bread and butter of tech companies. It is the price consumers pay for using “free” internet websites and applications. What consumers don’t pay in USD, they pay in PII. The CCPA represents an attempt to GETTY 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 3 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 regulate this economy of personal information by granting California residents more visibility into and control over the ways their personal information is used. Below is a general overview of some of the key provisions of CCPA and some thoughts on its wider implications. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is much broader than the traditional definition of personal information seen in most privacy laws in the United States. However, the CCPA does exclude publicly available information, defined as information "lawfully made available from federal, state, or local government records, if any conditions associated with such information" excluding biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained. The range of companies subject to CCPA is also fairly broad. In short, CCPA applies to companies that are for-profit, collect and process the personal information of California residents, do business in the State of California and meet at least one of the following criteria: • Has annual gross revenues in excess of $25 million. • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices. • Derives 50% or more of its annual revenues from selling consumers’ personal 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 4 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 information. The CCPA grants California residents more visibility into and control over their personal information primarily through the following four requirements: • Notification of personal information collection: At or before the point of collection, businesses must notify consumers that they are collecting the consumer’s personal information, what personal information is being collected, how that personal information is being collected, how the business intends to use such personal information, and whether and to whom it is being disclosed or sold. • Personal Information Sale Opt-out: Businesses must notify consumers that they are selling the consumers’ personal information, that the consumers have a right to opt out of such sale, and must post a “Do Not Sell My Personal Information” link on its homepage, which allows consumers to easily exercise that right of opting-out. • Personal Information Removal: A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain exceptions. • Service Equality: "A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if ‘that difference is reasonably related to the value provided to the consumer by the consumer’s data.’ Businesses can offer consumers financial incentives to allow Personal Information collection," per BenefitsPRO. 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 5 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 With its aggressive stance on data protection and privacy rights, the CCPA exemplifies just how wide the gap is between individual state digital privacy laws. To contrast with California, South Dakota’s first-ever data breach notification law went into effect in July 2018. In fact, the CCPA resembles the European Union’s General Data Protection Relation (GDPR) more than it does other U.S. state data privacy laws. Like the GDPR, the CCPA approaches data privacy from an opt-in perspective. Both the GDPR and CCPA grant the consumer the right to access the personal information collected. GDPR and CCPA are grounded in the idea that digital privacy is a right, not a bargaining chip. The GDPR works, in part, because it applies to the entire European Union. However unique the California jurisdiction may be, it is still a bona fide member of the United States of America (and the third-largest at that). The CCPA treats digital privacy like a personal right to be placed back in the hands of consumers. While, in theory, this sounds like a progressive idea, the practical implementation of CCPA in isolation hardly “protects” the consumer. Rather, it complicates the already murky waters of data privacy. Ultimately, I believe the CCPA is red tape without results. The choice between geofencing the interfaces of California residents and upending consumer information-driven business models is not one that many are looking forward to making. While California may be a legislative leader in many respects, in the digital privacy arena, California may have started the race without tying its shoes. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? 9/19/19, 10'11 AMCouncil Post: The Wider Implications Of The California Consumer Privacy Act Page 6 of 6https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-wider-implications-of-the-california-consumer-privacy-act/#727ee1d63d95 Daniel B. Garrie Esq. Daniel B. Garrie, Esq., Co-Founder of Law & Forensics, overseeing global forensics and cybersecurity engineering practice groups.... Read More California Consumer Privacy Act (“CCPA”) White Paper October 1, 2018 DOMINIQUE SHELTON LEIPZIG | PARTNER SARI RATICAN | SENIOR COUNSEL LAURA MUJENDA | ASSOCIATE +1.310.788.3327 +1.310.788.3287 +1.310.788.3309 DSheltonLeipzig@perkinscoie.com SRatican@perkinscoie.com LMujenda@perkinscoie.com Table of Contents Page I. OPENING ...................................................................................................................... 1 II. BACKGROUND ............................................................................................................. 1 III. CCPA BASICS .............................................................................................................. 1 A. Eight Consumer Rights ...................................................................................... 2 1. Abbreviated Disclosure Right Applicable to Businesses that Collect PI ................................................................................................ 2 2. Expanded Disclosure Right Applicable to Businesses that Collect PI ........................................................................................................... 2 3. Right to Request Information from Businesses that Sell or Disclose PI for a Business Purpose ........................................................ 3 4. Right to Opt Out of the Sale of Data ....................................................... 3 5. Right to Opt In for Children: Business Obligation Not to Sell Children’s PI Without Affirmative Authorization ....................................... 3 6. Deletion Right ......................................................................................... 3 7. Right to Access and Portability ............................................................... 3 8. Right Not to be Discriminated Against for Exercising Any of the Consumer’s Rights Under the Title ......................................................... 3 B. Eight Corresponding Business Obligations ........................................................ 4 1. Obligation to Respond to Abbreviated Disclosure Request: .................... 4 2. Obligation to Respond to Expanded Disclosure Request: ....................... 4 3. Obligation to Respond to Request for Information from Businesses that Sell or Disclose PI for a Business Purpose: ..................................... 5 4. Obligation to Respond to Request to Opt Out of the Sale of Data:.......... 6 5. Obligation to Respond to Obtain Opt-In Consent for Children: ................ 6 6. Obligation to Respond to Deletion Requests: ......................................... 7 7. Obligations to Respond to Requests for Access and Portability: ............. 7 8. Obligation Not to Discriminate Against Consumers Exercising Their CCPA Rights: ................................................................................ 8 C. Independent Business Obligations ..................................................................... 8 1. Train Employees: ................................................................................... 8 2. Create Designated Methods for Consumers to Assert Their Rights: .................................................................................................... 8 3. Execute Vendor Contracts Containing Specific Criteria: ......................... 9 D. General Business Defenses ............................................................................... 9 - ii - E. Applicable Exemptions ....................................................................................... 9 IV. PENALTIES..................................................................................................................10 V. AREAS OF INFLUENCE ..............................................................................................10 VI. CONCLUSION .............................................................................................................11 - 1 - I. OPENING Does your company process personal information of California residents (e.g., by using analytics on your website)? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (“CCPA”), which goes into effect on January 1, 2020. The CCPA goes well beyond the European Union’s General Data Protection Regulation (“GDPR”); however, if you have achieved compliance with the GDPR, you may be able to leverage your GDPR program to achieve CCPA compliance. Once in effect, the CCPA will require businesses processing the personal information (“PI”) of California consumers (defined as California residents) to comply with new regulations governing the processing of their PI. Businesses, that meet the statutory definition, will have to respond to eight specific consumer rights, observe restrictions on data monetization business models, and update their privacy notices to provide detailed disclosures about their data handling practices concerning California residents’ PI. II. BACKGROUND The impetus for the CCPA was a growing concern regarding the volume of data collected about California consumers. In June 2018, a privacy initiative qualified for the ballot with 629,000 signatures, nearly twice the signatures required. To facilitate amendments and respond to heavy criticism regarding workability, the ballot initiative was withdrawn from the November 2018 ballot in exchange for California Assembly Bill (“AB”) 375—the first iteration of the CCPA. On June 28, 2018, California Governor Brown signed AB 375 into law. Shortly thereafter, California Senate Bill (“SB”) 1121 was introduced to amend the CCPA in five ways: (1) eliminating the requirement that a consumer bringing a private right of action first notify the Attorney General; (2) including a carveout for providers of health care governed by the California Confidentiality of Medical Information Act; (3) including an exemption for business associates under the Health Insurance Portability and Accountability Act of 1996;1 (4) carving out any conflicts with the California Financial Information Privacy Act;2 and (5) limiting civil penalties assessed in an Attorney General action to not more than $2,500 per violation or $7,500 per intentional violation. On September 23, 2018, Governor Brown signed SB 1121 into law. Nevertheless, further amendments are likely forthcoming given that the current amendments do not address all the concerns raised by industry and consumer groups, as well as the California Attorney General, Xavier Becerra. III. CCPA BASICS The CCPA gives California consumers/residents 3 eight new privacy rights and imposes eight corresponding as well as three independent obligations on businesses processing California consumers’ PI. Among other rights, it gives California consumers the right to request that a business provide the requesting consumer the categories and specific pieces of PI it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which 1Cal. Civ. Code Section 1798.145(c)(1)(A)-(B). 2Cal. Civ. Code Section 1798.145(e). 3Cal. Civ. Code Section 1798.140(g) (defining “consumer” as a natural person who is a California resident); Cal. Code Regs. Tit. 18, Section 17014. - 2 - the information is shared. Further, consumers have a right to request a business that sells or discloses their PI for a business purpose to disclose the identity of third parties to which the information was sold or disclosed. Under the CCPA, businesses must verify the requesting consumer’s identity, promptly act on the consumer’s request, and update their general privacy policy to include (among other items) a description of California consumers’ rights, the purpose(s) of PI collection, and the categories of PI sold, collected or disclosed for a business purpose in the past 12 months. Businesses also have an obligation to provide the requested PI in a readily useable and portable format and respect consumers’ choice to opt out of the sale of their PI. The CCPA prohibits businesses from discriminating against consumers who exercise their rights under the CCPA. Finally, the CCPA compels businesses to train employees, to create designated methods for consumers to assert their rights under the CCPA, and to execute written agreements with third-party data processors to prohibit selling, retaining, using, or disclosing the PI subject to the agreement. The CCPA expands the definition of PI beyond the GDPR and well beyond current U.S. privacy law. It defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”4 (emphasis added). The definition also includes personal identifiers; IP addresses; commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information; professional or employment-related information; or any consumer profile. In addition to the business obligations under the CCPA, businesses are provided with several general defenses and applicable specific exemptions to consumer requests and enforcement actions. A. Eight Consumer Rights The CCPA provides consumers with eight exercisable rights regarding their PI being held by a business as follows: 1. Abbreviated Disclosure Right Applicable to Businesses that Collect PI provides a consumer the right to request that a business disclose the categories and specific pieces of PI collected about them.5 2. Expanded Disclosure Right Applicable to Businesses that Collect PI provides a consumer the right to request that a business disclose the categories and specific pieces of PI collected, the sources from which the PI is collected, the business or commercial purpose (similar to legitimate interests under the GDPR) of collection, and with whom the collected PI is shared (i.e., third-party sharing).6 Consumers have the right to receive a specific notice of 4Cal. Civ. Code Section 1798.140(o). 5Cal. Civ. Code Section 1798.100(a). 6Cal. Civ. Code Section 1798.110(a). - 3 - the business’s PI collection practices 7 as well as notice of these rights within the business’s general privacy policy. 3. Right to Request Information from Businesses that Sell or Disclose PI for a Business Purpose provides consumers the right to request that a business disclose the following for the previous 12 months: the categories of PI collected and sold, the categories of third parties to whom data is sold, and the categories of PI disclosed about the consumer for a business purpose.8 Consumers have the right to receive specific notice of the business’s PI collection practices as well as notice of these rights within the business’s general privacy policy.9 4. Right to Opt Out of the Sale of Data gives consumers or their authorized agent the ability to direct businesses to stop selling their PI to third parties.10 Consumers have the right to receive notice of these rights within the business’s general privacy policy, as well as a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” leading to an internet web page that enables a consumer to opt-out of the sale of the consumer’s PI.11 5. Right to Opt In for Children: Business Obligation Not to Sell Children’s PI Without Affirmative Authorization provides that a business must obtain the opt-in consent from a child (between ages 13-16) or the child’s parent or guardian (if the child is under the age of 13) before selling the child’s PI.12 6. Deletion Right gives consumers the right to request that a business delete their PI after receipt of a verifiable request.13 In support of this right, consumers have the right to receive notice of their right to deletion within the business’s general privacy policy.14 7. Right to Access and Portability provides consumers the right to access their PI after submitting a verifiable access request.15 8. Right Not to be Discriminated Against for Exercising Any of the Consumer’s Rights Under the Title gives consumers the right to not be discriminated against for exercising their rights under the CCPA. Examples of discrimination include denying goods or services to the consumer,16 charging different prices or rates for goods or services,17 providing a different 7Id.; Cal. Civ. Code Section 1798.110(c); Legislative Digest at p. 91; Cal. Civ. Code Section 1798.130(a)(5)(B). 8Cal. Civ. Code Section 1798.115(a). 9Cal. Civ. Code Section 1798.115(c); Cal. Civ. Code Section 1798.130(a)(5)(C). 10Cal. Civ. Code Section 1798.120(a). 11Cal. Civ. Code Section 1798.135(a)(1)-(a)(2). 12Cal. Civ. Code Section 1798.120(c)-(d). 13Cal. Civ. Code Section 1798.105(a). 14Cal. Civ. Code Section 1798.105(b); Cal. Civ. Code Section 1798.130(a)(5)(A). 15Cal. Civ. Code Section 1798.100(d); Legislative Digest Section 2(i)(4). 16Cal. Civ. Code Section 1798.125(a)(1)(A). 17Cal. Civ. Code Section 1798.125(a)(1)(B). - 4 - level or quality of goods or services to the consumer,18 or suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.19 B. Eight Corresponding Business Obligations To support California consumers’ new rights, the CCPA has imposed eight corresponding business obligations. In order to appropriately respond to each request, businesses should first verify the requesting consumer’s identity and the validity of the request. Only upon successful verification, and satisfaction that applicable defenses do not apply, should businesses act upon the request-specific obligation(s). 1. Obligation to Respond to Abbreviated Disclosure Request: Once the requesting consumer’s identity has been verified, and assuming no defenses apply, the business must disclose and deliver the categories and specific pieces of the consumer’s PI collected in the 12 months preceding the request free of charge within 45 days of receiving the verifiable request (unless an extension of an additional 45 days is necessary and the consumer is given notice of the extension).20 A business has the obligation to provide the categories of PI collected in a general notice to consumers within its stated privacy policy.21 In addition to responding to the requested disclosure, a business must implement two or more designated methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address.22 Here, the CCPA goes beyond GDPR Article 13 by requiring identification of specific pieces of information about the consumer and requiring special notice to individual consumers outside of a privacy policy. And unlike GDPR Article 20, which entitles the data subject to “receive” the data, the CCPA’s Abbreviated Disclosure Right only calls for the company to “disclose and deliver the required information.” 2. Obligation to Respond to Expanded Disclosure Request: Once the requesting consumer’s identity has been verified,23 if defenses do not apply, the business must disclose and deliver the following information covering the 12 months preceding the request: the categories of PI collected,24 the categories of sources from which PI is collected,25 the business or commercial purpose for collecting or selling the PI 26 (similar to legitimate interests under the 18Cal. Civ. Code Section 1798.125(a)(1)(C). 19Cal. Civ. Code Section 1798.125(a)(1)(D). 20Cal. Civ. Code Section 1798.110(b); Cal. Civ. Code Section 1798.130(a)(2). 21Cal. Civ. Code Section 1798.100(b). 22Cal. Civ. Code Section 1798.130(a)(1); Cal. Civ. Code Section 1798.140(i). 23Cal. Civ. Code Section 1798.110(b); Cal. Civ. Code Section 1798.130(a)(3)(A). 24Cal. Civ. Code Section 1798.110(c)(1). 25Cal. Civ. Code Section 1798.110(c)(2). 26Cal. Civ. Code Section 1798.110(c)(3). - 5 - GDPR), the categories of third parties with whom the business shares PI,27 and the specific pieces of PI the business collected about consumer.28 The information must be provided free of charge within 45 days of receiving the verifiable request (unless an extension of an additional 45 days is necessary and the consumer is given notice of the extension).29 Disclosure must be made in writing and delivered 30 through the consumer’s account with the business if the consumer maintains such an account, or via postal mail or electronically at the consumer’s option, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.31 A business must not require the consumer to create an account with the business to make a verifiable request.32 A business also has the obligation to provide the categories of PI collected in a general notice to consumers within its stated privacy policy.33 Lastly, a business must implement two or more designated methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address.34 The notice of business purpose under the CCPA is similar to the GDPR’s notice of legitimate interest. The CCPA requirement to disclose “the business or commercial purposes for collecting or selling PI” is similar to the GDPR requirement to disclose/notify data subject(s) if relying on legitimate interest to process PI.35 The CCPA requirement to provide specific pieces of consumer PI collected “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance”36 is similar to the GDPR Portability Right in Article 20. However, the GDPR is more restrictive: portability requests may be made only if the business’s lawful basis for processing the PI is the data subject’s consent 37 or contractual necessity. 3. Obligation to Respond to Request for Information from Businesses that Sell or Disclose PI for a Business Purpose: Once the requesting consumer’s identity has been verified, subject to appropriate defenses, the business must create two separate lists covering the preceding 12 months: (1) PI sold; and (2) PI disclosed for a business purpose.38 The information must be provided free of charge within 45 days of receiving the verifiable request (unless an extension of an additional 45 days is necessary and the consumer is given notice of the extension).39 In addition to responding to the requested disclosure, a business must 27Cal. Civ. Code Section 1798.110(c)(4). 28Cal. Civ. Code Section 1798.110(a)(5). 29Cal. Civ. Code Section 1798.130(a)(2). 30Id. 31Id. 32Id. 33Cal. Civ. Code Section 1798.130(a)(2). 34Cal. Civ. Code Section 1798.130(a)(1); Cal. Civ. Code Section 1798.140(i). 35GDPR Art. 13(1)(d). 36Cal. Civ. Code Section 1798.130(a)(2). 37Id.; GDPR Art. 20(1)(a). 38Cal. Civ. Code Section 1798.130(a)(4)(B). 39Cal. Civ. Code Section 1798.130(a)(2). - 6 - implement two or more designated methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address.40 Lastly, a business that sells consumer PI or discloses it for a business purpose must disclose such within its online privacy policy.41 This right goes beyond GDPR Article 13 and requires notice of specific categories of data sold or disclosed that are relatable to specific consumers.42 4. Obligation to Respond to Request to Opt Out of the Sale of Data: Once the requesting consumer’s (or consumer’s authorized representative’s 43) identity has been verified, and assuming no general or specific defenses apply, the business must stop selling the consumer’s data unless the consumer subsequently provides express authorization for the sale of the consumer’s PI.44 A business must respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s PI again.45 An exception does exist for PI collected in connection with a consumer’s exercise of an opt-out request if the PI is solely used for complying with the opt-out request.46 This consumer right goes beyond GDPR Article 18, which is limited to the four circumstances where a user is contesting accuracy, lawfulness, use beyond a legal claim, or the legitimate interest reasoning.47 Further, a business must provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” leading to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.48 Under the definition of “home page,” a business may include this notice either on its main home page or a separate home page dedicated to California consumers that discloses the California-specific description of their privacy rights.49 5. Obligation to Respond to Obtain Opt-In Consent for Children: Businesses are obligated to obtain opt-in consent before selling the PI of a child. 50 A business may obtain opt-in consent from a child, if the child is between the ages of 13 and 16. 51 A business must obtain opt-in consent from a child’s parent or guardian for children under the age of 13.52 40Cal. Civ. Code Section 1798.130(a)(1); Cal. Civ. Code Section 1798.140(i). 41Cal. Civ. Code Section 1798.115(c); Cal. Civ. Code Section 1798.130(a)(5)(C). 42Id.; GDPR Art. 13. 43Cal. Civ. Code Section 1798.120. 44Cal. Civ. Code Section 1798.120(c). 45Cal. Civ. Code Section 1798.135(a)(5). 46Cal. Civ. Code Section 1798.135(a)(6). 47GDPR Art. 18. 48Cal. Civ. Code Section 1798.135(a)(1). 49Cal. Civ. Code Section 1798.135(b). 50Cal. Civ. Code Section 1798.120(c)-(d). 51Id. 52Id. - 7 - The requirement is similar to the GDPR. However, under the GDPR Article 8, parental (or guardian) opt-in consent is required for children under 16 years of age.53 6. Obligation to Respond to Deletion Requests: Once the consumer’s deletion request has been verified, and assuming no defenses apply, the business must delete the consumer’s PI. 54 The CCPA recommends that such deletion requests be fulfilled within 45 days.55 Businesses also have an obligation to notify consumers of their deletion rights in a form that is reasonably accessible to consumers 56 via a general privacy notice or in a section specific to California privacy rights.57 Additionally, businesses must implement two or more designated methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number and, if the business maintains a website, a website address.58 A business is not required to comply with a consumer’s deletion request if the PI is necessary for specific enumerated reasons, including to complete a contractual transaction or provide a good or service requested by the consumer.59 The CCPA’s deletion right is broader than GDPR Article 17’s provisions because the CCPA allows deletion requests to be made for any reason, whereas GDPR Article 17 allows erasure requests only in specific circumstances.60 However, the deletion right under the CCPA is subject to more defenses for business. For example a company may defend against a deletion request if the data is needed to investigate a security incident, debug software, or it if needed for internal uses. 61 7. Obligations to Respond to Requests for Access and Portability: Once the consumer’s request has been verified, if no other defenses apply, the business must disclose and deliver free of charge the required information via post or electronically in a portable format within 45 days of receiving the verifiable request.62 If PI is delivered electronically, it should be delivered in a readily useable format to the extent feasible so that the consumer may transfer his or her PI to another business without hindrance. A business is not required to provide PI to a consumer more than twice in a 12-month period.63 This CCPA right is broader than the data portability right under GDPR Article 20 because data portability requests under the GDPR are limited to those in which the business’s lawful basis for processing the PI is the data subject’s consent or contractual necessity.64 53GDPR Art. 8. 54Cal. Civ. Code Section 1798.105. 55Cal. Civ. Code Section 1798.130(a)(2). 56Cal. Civ. Code Section 1798.135(a). 57Cal. Civ. Code Section 1798.105(b); Cal. Civ. Code Section 1798.130(a)(5)(A). 58Cal. Civ. Code Section 1798.130(a)(1). 59Cal. Civ. Code Section 1798.105(b). 60GDPR Art. 17. 61Cal. Civ. Code Section 1798.105(d). 62Cal. Civ. Code Section 1798.130(a)(2). 63Cal. Civ. Code Section 1798.100(d). 64GDPR Art. 20. - 8 - 8. Obligation Not to Discriminate Against Consumers Exercising Their CCPA Rights: Businesses are prohibited from discriminating against consumers exercising their CCPA rights in the following ways: denying goods or services to such consumers;65 charging different prices or rates for goods or services, including through the use of discounts or other benefits or by imposing penalties;66 and providing a different level or quality of goods or services to consumers if they exercise their rights under the CCPA.67 A business is allowed to charge a higher price/rate or provide a different level/quality 68 if the higher price/rate or different level/quality is reasonably or directly related to the value provided to consumers for their PI.69 The CCPA also allows a business to offer financial incentives, including payments to consumers as compensation for the collection, sale or deletion of PI, so long as the business notifies consumers of the financial incentives, clearly describes the material terms of the financial incentive program,70 and obtains their opt-in consent.71 It is a best practice to place notice of financial incentives in a general privacy policy notice. However, a business may not use financial incentive practices that are unjust, unreasonable, coercive, or usurious,72 and consumers can revoke their consent at any time.73 As a compliance best practice, if a business intends to offer financial incentives tied to the exchange of PI, it will be advisable to consider the value of the data associated with the promotion. C. Independent Business Obligations Under the CCPA, businesses also have the following independent obligations, not tied to a specific consumer right:74 1. Train Employees: The CCPA requires businesses to train employees handling consumer inquiries on the requirements related to CCPA-provided consumer rights and business obligations.75 Businesses are also obligated to ensure that employees know how to direct consumers to exercise their rights under the law.76 2. Create Designated Methods for Consumers to Assert Their Rights: Businesses must create two or more designated methods for consumers to submit requests for information, including a toll-free telephone number and a website address if the business maintains a website.77 “Designated methods for submitting requests” include a postal mailing address, email 65Cal. Civ. Code Section 1798.125 (a)(1)(A). 66Cal. Civ. Code Section 1798.125 (a)(1)(B). 67Cal. Civ. Code Section 1798.125 (a)(1)(C). 68Cal. Civ. Code Section 1798.125 (a)(2). 69Cal. Civ. Code Section 1798.125 (b)(1). 70Cal. Civ. Code Section 1798.125 (b)(3). 71Id. 72Cal. Civ. Code Section 1798.125 (b)(4). 73Cal. Civ. Code Section 1798.125 (b)(3). 74Cal. Civ. Code Section 1798.130(a); Cal. Civ. Code Sections 1798.140(i), (w)(2)(A). 75Id. 76Id. 77Cal. Civ. Code Section 1798.130(a). - 9 - address, Internet webpage or portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under the CCPA.78 3. Execute Vendor Contracts Containing Specific Criteria: Businesses that engage vendors to handle PI must execute written contracts with specific criteria with those vendors if they want to shift liability to the vendor for any violations of the CCPA caused by the vendor.79 If the vendor is defined as a “service provider” under the CCPA, it must have a written contract that limits processing to the business purpose of the contract. 80 If the vendor is defined as a “person” under the statute, among other requirements, the contract should prohibit vendors from selling, retaining, using or disclosing the PI outside of the direct business relationship with the business. 81 The contract must also include a certification from the vendor that he/she understands the restrictions and will comply with them.82 GDPR Article 28’s vendor obligations are more expansive than those required by the CCPA. Specifically, GDPR Article 28 requires businesses and vendors to enter into data processing agreements whereby vendors attest that they will (i) only process personal data on the business’s documented instructions; (ii) ensure that persons authorized to process data are subject to confidentiality obligations; (iii) take certain security measures; (iv) obtain consent for sub-vendors; (v) help respond to consumer-verified requests; (vi) help with data breach responses; (vii) return or destroy all data at the end of services; and (viii) provide information to demonstrate the business’s compliance with the GDPR, including by allowing and contributing to audits. Businesses should review their vendor contracts to ascertain if they have the requisite language already to shift liability to their vendors or if amendments are necessary. D. General Business Defenses The CCPA provides businesses with seven general defenses to the required obligations. Specifically, a business may assert that (1) it is not a covered business under the CCPA; (2) it is not processing PI as defined under the CCPA; (3) it falls under one of the CCPA’s applicable exemptions; (4) the consumer request is not verifiable; (5) the data was collected for a single, one-time transaction and was not sold or retained; (6) the request would require the business to re-identify or otherwise link information that is not maintained in a manner that would be considered PI; and (7) the action is by the vendor and the proper contractual language is contained in the vendor agreement. E. Applicable Exemptions In addition to the general defenses, the CCPA provides seven applicable exemptions for businesses, including, but not limited to (1) data processed pursuant to the federal Gramm- 78Cal. Civ. Code Section 1798.140(i). 79Cal. Civ. Code Section 1798.140(v); Cal. Civ. Code Section 1798.140(w)(2)(A). 80Cal. Civ. Code Section 1798.140(v). 81Cal. Civ. Code Section 1798.140(w)(2)(A). 82Id. - 10 - Leach-Bliley Act, 83 and (2) the exemption applicable to protected medical or health information that is governed by the California Confidentiality of Medical Information Act,84 the Health Insurance Portability and Accountability Act 85 and the Health Information Technology for Economic and Clinical Health Act,86 as well as information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.87 IV. PENALTIES The CCPA provides a private right of action for any consumer whose nonencrypted PI is subject to an unauthorized access, exfiltration, theft or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.88 Consumers may (1) recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater; (2) seek injunctive or declaratory relief; and/or (3) seek any other relief the court deems proper.89 Prior to initiating any action, a consumer must give the business 30 days’ written notice identifying the specific CCPA provisions that have been or are being violated.90 No action may be initiated if the business cures the noticed violations within 30 days of receiving notice and gives the consumer an express written statement confirming that the violations have been cured and that no further violations will occur.91 However, if the business violates the CCPA in breach of this express written statement, the consumer may initiate an action to enforce the statement and pursue statutory damages for each breach of the statement, as well as any other violation of the title that postdates the statement.92 This statement seems to contradict other sections of the CCPA, which limit a consumer’s private right of action to violations related to security breaches caused by a lack of reasonable security.93 Hopefully, further amendments to the bill may provide more clarity on this issue. V. AREAS OF INFLUENCE The Attorney General (“AG”) cannot bring an enforcement action until six months after the publication of the final regulations or until July 1, 2020, whichever is sooner.94 83Cal. Civ. Code Section 1798.145(e). 84Cal. Civ. Code Section 1798.145(c)(1)(A)-(B). 85Id. 86Id. 87Cal. Civ. Code Section 1798.145(c)(1)(C). 88Cal. Civ. Code Section 1798.150(a)(1). 89Id. 90Cal. Civ. Code Section 1798.150(b). 91Id. 92Id. 93Cal. Civ. Code Section 1798.150(c). 94Cal. Civ. Code Section 1798.185(a)(7)(c). - 11 - The CCPA calls for the AG to promulgate rules to effectuate the new law. 95 The rule-making process will afford many avenues for companies to have their voices heard. Watch our video to learn more about this process Video Spotlight: Let Your Voice Be Heard: Start With the New California Privacy Law You may also submit comments regarding the rulemaking process on the Perkins Coie CCPA Business Comments Submission Portal. Please understand that submitting a comment to this portal cannot and does not create any attorney-client relationship between you or your company and Perkins Coie LLP. Perkins Coie is collecting these comments solely as an administrative convenience so that many comments can be gathered and sent to the California Attorney General’s office in a collective fashion. Perkins Coie will not review, analyze for proper form, make any changes to, or otherwise edit any comments submitted and is solely acting as a conduit, not as an advocate or attorney relating to any of these comments. Since there is no attorney-client relationship with Perkins Coie, please do not submit any information to us which you or your company considers confidential. If you would like to discuss engaging Perkins Coie as counsel for your company, please contact Dominique Shelton Leipzig, but any such engagement will be conditioned on our mutual agreement, checking and clearing conflicts and execution of an engagement letter. Thank you for your attention. On the legislative front, businesses may want to get involved with the California Chamber of Commerce’s lobbying efforts to influence legislative efforts. VI. CONCLUSION Before the CCPA goes into effect on January 1, 2020, businesses should prepare data inventories of all PI pertaining to California residents (including employees), households, and devices, as well as information sources, storage locations, usage, and recipients. Absent that discipline, CCPA compliance will not be possible. Further, more detailed requirements will be 95Cal. Civ. Code Section 1798.185. - 12 - enacted during 2019 as additional revisions are debated and the AG begins rulemaking drafting and implementation. - 1 - DOMINIQUE SHELTON LEIPZIG | PARTNER | LOS ANGELES, CALIFORNIA www.perkinscoie.com/DShelton/ Privacy and cybersecurity attorney Dominique Shelton Leipzig co-chairs the firm’s Ad Tech Privacy & Data Management group. She provides strategic privacy and cyber-preparedness compliance counseling, and she defends, counsels and represents companies on privacy, global data security compliance, data breaches and investigations with an eye towards helping clients avoid litigation. Dominique frequently conducts training sessions for senior leadership, corporate boards and audit committees regarding risk identification and mitigation in the areas of privacy and cybersecurity. She leads companies in legal assessments of data security, cyber preparedness and compliance with such regulations as the California Confidentiality of Medical Information Act (CMIA), the Health Insurance Portability and Accountability Act (HIPAA), the Video Privacy Protection Act (VPPA), the Children’s Online Privacy Protection Act (COPPA) and the NIST Cybersecurity Framework. Dominique has significant experience leading investigations related to data and forensic breaches. She has steered investigations for a range of companies, including national retailers, financial institutions, health and wellness enterprises, media companies and others. Dominique also advises companies on global privacy and data security, particularly on the EU General Data Protection Regulation (GDPR). Her background includes advising on European, Asian and South American privacy and security compliance projects for U.S.-based and overseas companies. In addition, she counsels on strategies for related legal compliance and vendor management in cross-border transfers. Sari Ratican | Senior Counsel | LOS ANGELES, CALIFORNIA Sari Ratican’s global privacy and data protection practice focuses on providing practical advice tailored to each client’s unique needs. Her advice reflects her extensive in-house experience as the first Chief Privacy Officer for Amgen, Inc., the world’s largest biotechnology company, where she built and implemented the company’s global privacy program across more than 75 countries. Sari is a Certified Information Privacy Professional (EU and US) and has been actively involved in several global privacy and data protection organizations, including the International Association of Privacy Professionals, the International Pharmaceutical Privacy Consortium and the International Pharmaceutical & Medical Device Privacy Consortium. In addition to global privacy and data protection matters, Sari has extensive experience in disciplines including healthcare fraud and abuse, compliance and ethics. Prior to specializing in global privacy and data protection, Sari was in private practice as a corporate healthcare lawyer and was also Legislative Counsel for the American Medical Association’s Government Relations Department, where she worked with national and state professional medical associations on various legislative matters at both the state and federal levels. - 2 - Laura Mujenda | Associate | LOS ANGELES, CALIFORNIA Laura Mujenda maintains a broad-based commercial litigation practice that includes business, privacy, data security, investigations and soft IP matters. As part of her growing privacy practice, Laura counsels clients on GDPR compliance, including preparing Article 30 reports and conducting gap analysis. Laura is also engaged in policy framework as related to the California Consumer Privacy Act (CCPA). In her litigation practice, Laura has experience bringing and defending claims for fraud, misrepresentation, breach of contract, tortious interference with a contract, and trademark, trade dress and copyright infringement. She has handled various aspects of civil litigation, including dispositive motion practice, pleadings, discovery, depositions, dispute resolution and trial preparation. She also been involved in investigations related to retaliation, sexual harassment, gender or pregnancy-based discrimination and enforcement actions. Laura’s pro bono practice focuses on representing immigrants in removal proceedings who seek lawful admission into the U.S. In that regard, Laura recently secured release on bond and a grant of Deferral of Removal under the Convention Against Torture for a native and citizen of Guatemala. 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 1 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation Seattle Information Technology (tech) Saad Bashir, Chief Technology Officer (/) / Home (tech) / Initiatives (tech/initiatives) / Privacy (tech/initiatives/privacy) / About the Privacy Program About (tech/about) Services (tech/services) Initiatives (tech/initiatives) About the Privacy Program The privacy program is designed to provide the structure and guidance required for City departments to incorporate the appropriate privacy practices into daily operations and to build public trust and confidence in how we collect and manage the public’s personal information. In 2015, we designed a citywide Privacy Program to provide guidance and tools to City employees when working with personal information. We convened a group of representatives from across 15 City departments to create policies and practices to define and implement a citywide program to address our privacy commitments. To advise these efforts, we invited a Privacy Advisory Committee of area privacy thought leaders from academia, local companies, and private legal practice and community activist groups to provide best practices recommendations. Since that start, the program has continued to grow. We now conduct hundreds of privacy reviews each year about the technologies we use to deliver needed services to ensure that new and existing City programs across all of our many departments use and protect information we collect. Privacy Principles The City of Seattle Privacy Principles were adopted as City Council Resolution #31570 (Documents/Departments/InformationTechnology/City-of-Seattle- Privacy-Principles-FINAL.pdf) on February 23, 2015. This set of six principles provides an ethical framework for developing appropriate policies, standards and practices regarding the public's personal information. These principles outline our commitment to collect only what is necessary, tell you how we use and share it, why we keep it only as long as necessary or required by law, and how we protect it from misuse. Privacy Policy Adopted in July 2015, this policy (Documents/Departments/InformationTechnology/privacy/PrivacyPolicyFINAL.pdf) provides direction to all City departments about our obligations to follow our Privacy Principles, Privacy Statement, and our Privacy Review process. This policy outlines how departments will design projects with privacy top of mind. Privacy Statement Informed by the Privacy Principles, the Privacy Statement outlines our commitments about the collection and management of the public's personal information and both replaces and expands on our former Online Privacy Statement (/tech/initiatives/privacy/about-the-privacy- program#x58255). Translated Privacy Principles Privacy Principles - Chinese Cantonese (Traditional) (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Traditional-Chinese.pdf) Privacy Principles - Chinese Mandarin (Simplified) (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-SimplifiedChinese.pdf) Privacy Principles - Korean (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Korean.pdf) Privacy Principles - Somali (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Somali.pdf) Privacy Principles - Spanish (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Spanish.pdf) Privacy Principles - Tagalog (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Tagalog.pdf) Privacy Principles - Vietnamese (http://www.seattle.gov/Documents/Departments/InformationTechnology/privacy/CityOfSeattlePrivacyPrinciplesFINAL- Poster-Vietnamese.pdf) Annual Reports 2018 Annual Report (Documents//Departments/Tech/2018- 12 Privacy Program Annual Report.pdf) About the Privacy Program (tech/initiatives/privacy/about- the-privacy-program) Surveillance Technologies (tech/initiatives/privacy/surveillance- technologies) Privacy Reviews (tech/initiatives/privacy/privacy- reviews) Data We Collect (tech/initiatives/privacy/data- we-collect) Events Calendar (tech/initiatives/privacy/events- calendar) Ask Privacy Question (tech/initiatives/privacy/ask- privacy-question) 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 2 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation The City collects different kinds of information from the public in order to conduct City operations and provide the public with important services. Some of this information you provide directly to us. Some of it we collect in the course of your interactions with various City departments. What information we collect We collect information necessary for City departments to provide services to the public, protect the public's health and safety, and to improve the efficiency and effectiveness of our operations. Our goal is to collect only enough information as is reasonable to perform our Services and to let you know when providing personal information is optional. We also seek to aggregate or otherwise de- identify personal data, when possible, whenever it is not necessary to store or share personally identifiable data elements. The table below provides some examples of the information we collect: Description Examples Personally identifiable information Name, address, age, birthdate, social security number, driver’s license number Website information Information passively gathered from visitors on our website and from mobile devices Financial information and payment card information Bank account number, credit or debit card numbers, or other billing information, such as when you pay your utilities, pay taxes, or sign up program membership or classes Health records Medical information collected during emergency response, vaccination records, health program participation Digital images Facility security cameras, City sponsored event photos, traffic camera Purpose Scope Collecting your information 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 3 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation video Utility use Consumption data about electricity, water and waste management services Permitting information New construction, reconstruction and remodeling, land use, events, utilities Public safety Violations, court records, emergency calls Traffic movement Traffic flows, event monitoring Demographic information Income bracket, gender, race or ethnicity, vocation Providing personal information on our website. You may choose whether to provide personal information online. "Personal information" is information about a natural person that is readily identifiable to that specific individual. Personal information includes such things as an individual's name, address, and phone number. We collect no personal information about you unless you voluntarily provide it to us by sending us e-mail, participating in a survey, completing an online form, or engaging in an online transaction. You may choose not to contact us by e-mail, participate in a survey, provide personal information using an online form, or engage in an electronic transaction. However, you may not be able to access certain user-specific features of the web site without providing personal information. Information collected from visitors to our website. If you do nothing during your visit to our web site but browse, read pages, or download information, we will automatically gather and store certain information about your visit through the use of cookies and other similar tracking technologies. This information does not identify you personally. The information we collect through these technologies can include: The Internet Protocol Address and domain name used to access our web site. The Internet Protocol address is a numerical identifier assigned either to your Internet service provider or directly to your computer. We use the Internet Protocol Address to direct Internet traffic to you. This address can be translated to determine the domain name of your service provider (e.g. xcompany.com or yourschool.edu). Generally, the City only determines visitor domain names if a security issue is suspected; 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 4 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation The type of browser and operating system you used; The date and time you visited this site; The web pages or services you accessed at this site; and The web site you visited prior to coming to this web site. We may use this data automatically collected through cookies and other technologies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the site; (b) provide custom, personalized content; (c) provide and monitor the effectiveness of our website; (d) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website and our Service; (e) diagnose or fix technology problems; f) enhance network security; and (g) otherwise to plan for and enhance our Service or website. For example, the City's web site uses software programs to create summary statistics, which are used for such purposes as assessing what information is of most and least interest, determining technical design specifications, and identifying system performance or problem areas. We may also use analytic and security tools hosted by third parties or managed within the City as part of maintaining our web presence. These tools help us measure traffic and usage trends for our web site and help ensure that this service remains available to all users. These tools can also be used to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Except for authorized law enforcement investigations and the security purposes mentioned elsewhere in this notice, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with public records retention schedules. The City does not generally use cookies or other tracking technology to track its users across websites or over time, nor does it currently permit third party ad networks or other companies to track users on our web site. Because we do not track users over time and across websites, your use of the Do Not Track feature on your browser will have no effect on this web site. Information collected from website visitors who chose to provide personal information online. If during your visit to our web site you participate in a survey, send an e-mail, participate in a City hosted mailing list or web-based discussion, register an account, participate in online commerce, or perform some other transaction online, we may collect personal information from you, including: The e-mail address, and contents of the e-mail, for those who communicate with us via e-mail or who participate in a City hosted mailing list or web-based discussion. Information volunteered in response to a survey. Information provided through an online form for any other purpose. 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 5 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation Information submitted when participating in an online transaction with the City. Information provided when you register an account. The information collected is not limited to text characters and may include audio, video, and graphic information formats you send us. We use your e-mail address to respond to you. We do not send you unsolicited e-mail unless you specifically elect to receive it or unless it is part of a transactional communication that is part of receiving a City service. Online discussion lists or "threads" are maintained and controlled in accordance with the City's Electronic Conferencing and List Services Policy (http://www.seattle.gov/pan/mailinglistpolicies.htm). Survey information is used for the purpose identified by the survey. Information from other online forms is used only for conducting City business related to the online form. Information collected from your mobile device If you access our website and online services or use an application on a mobile device, we may collect certain information about that device. Messages sent from certain mobile devices contain unique identifiers about the physical location of such devices. Mobile devices also typically transmit caller ID data when used to transmit a telephone call or text message. Depending on the device and its settings, this information includes but is not limited to geolocation data, unique device identifiers and other information about your type of device, wireless provider, date and time of transaction, browser type, browser language and other transactional information. We may use this information to contact you and to respond to requests. We will not to use your phone number to initiate a call or SMS text message to you without your express prior consent. Your wireless carrier and other service providers also collect data about your SMS Service usage, and their practices are governed by their own privacy policies. Additional Resources: To find out more about the information that your mobile device collects and transmits, and the options available to you to change factory defaults that may affect those transmissions, please consult with your wireless or mobile device provider. For general information about wireless industry laws and regulations, please go to the Cellular Telecommunications and Internet Association website at http://ctia.org/consumer_info/service/ (http://ctia.org/consumer_info/service/). Avoiding Internet Fraud Fraudulent scams called "phishing" have been increasing in frequency. "Phishing" involves a victim receiving an e-mail appearing to be from a legitimate business. The "from" line is often forged and the e-mail usually contains authentic looking graphics making it appear to be legitimate. The e-mail may also contain what appears to be a legitimate link to that organization, e.g., 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 6 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation http://www.seattle.gov/ (http://www.seattle.gov/). When the victim clicks on this link, they are then taken to what appears to be a legitimate looking website. Criminals can even make your browser's address bar contain the address of the legitimate organization despite the fact that the website is a forgery. Victims are then encouraged to enter personal information including credit card numbers and expiration dates. We will not request confidential personal or financial information from our customers via an unsolicited e-mail. The City will also never send you an unsolicited e-mail containing a link to a City website where confidential personal or financial information is requested. If you receive such an e-mail, purportedly from the City, you are encouraged to immediately contact the City's Customer Service Bureau at: (206) 684-CITY. For more general information about "phishing" visit the Federal Trade Commission web site (http://www.ftc.gov/). For specific information about a suspected phishing attempt, you may have received contact the organization represented in the suspect e-mail. Paper forms City departments may collect information on paper forms as part of providing a government service or community engagement. These forms may request personal information, such as name, birthdate, address, telephone number, and email address. Forms may also request additional information necessary to determine eligibility for a service, such as income. When possible, forms will note what information is required to obtain a government service or participate in a government function and what information is optional. In addition, the form will note if there are any options for "opting out" of certain data uses, such as follow-up communications not directly related to the service being requested. Please note that we will be updating our forms over time to contain these disclosures. Telephone calls Individuals may contact the City via phone such as when calling our Customer Service Bureau (CSB), Seattle City Light/Seattle Public Utilities Call Center, or when calling a City department or staff member directly. Our phone system automatically logs the phone number and other characteristics of calls to and from City numbers, such as call duration and the extension in the City that received or made a call. It is not possible to opt-out of this collection. During the course of your call to a call center, we may ask for additional information. This information will be used to help provide the requested service. The call taker will inform you about what information may be optionally provided. We will also provide notice if and when a call center records calls for training purposes or to improve the services. We may also collect personal information when we call you or notify you of an event via phone or text message, including by creating a record of when a call was made and whether it was received by a live person. Email communication 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 7 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation When sending an email to a City email address, such as user@seattle.gov (mailto:user@seattle.gov), or user@startupseattle.com (mailto:user@startupseattle.com), we collect personal information that may be contained in the email message and automatically log certain information about message, including the sender information, the IP address, routing information, and email address. It is not possible to opt-out of this collection. In some cases, when the City sends an email to a user, it may contain beacons, which help the City track which emails have been opened and which links are clicked by our recipients. Video cameras Some City-owned facilities use video cameras to monitor activity and protect those working in or visiting the facility, or to protect the public. These include the following: Image recording Some City facilities use video cameras to monitor activity in common areas to protect the health and safety of those working in or visiting the facility. Notices will be posted in the area where these video cameras are in use. Depending on public policy, the needs of the facility, and applicable laws and regulations, these recordings may record video, audio, or both. Traffic cameras Main arterials and other roads, sidewalks and waterways have cameras posted to monitor traffic flow and major traffic events. The City also deploys red light cameras at some intersections to enforce the traffic laws. Public Safety There are a variety of video and audio capture technologies used for public safety purposes. For example, please see the following for more details governing some image recording technologies: Technology Governance In Car Video System Seattle Police Department (SPD) Manual Chapter 16.090 Body-Worn Video Pilot Program SPD Manual Chapter 16.091 Automatic License Plate Readers SPD Manual Chapter 16.170 Collection of Information for Law Enforcement Purposes Seattle Municipal Code (SMC) Chapter 14.12 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 8 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation Holding Cell Camera System SPD Manual Chapter 10.060 Acquisition and Use of Surveillance Equipment SMC Chapter 14.18 Automated Traffic Safety Cameras SMC 11.50.570 Emergency response In certain public safety and emergency response situations, we collect biometric data, including fingerprints and health related measurements such as heart rate or blood pressure. In some cases, we also employ facial recognition technology to assist in public safety response. Due to the individualized and serious nature of emergency response efforts, a variety of personal information may be collected by first responders and other personnel, as needed, and such data collection, use and disclosure practices may fall outside of the scope of this Privacy Statement. Emergency call centers may also follow different protocols in the course of responding to emergency calls. Whenever possible, our emergency responders will attempt to honor the Privacy Principles and this Privacy Statement when collecting, using, storing or sharing personal information. Opting out Using your information Sharing your information Retention Accuracy Accountability Equity Learn more about Privacy Information Technology City-Wide Information Departments & Agencies List Top Requests 9/19/19, 10'16 AMAbout the Privacy Program - Tech | seattle.gov Page 9 of 9https://www.seattle.gov/tech/initiatives/privacy/about-the-privacy-program#collectingyourinformation Address: 700 5th Ave, Suite 2700, Seattle, WA, 98104 (https://www.google.com/maps/place/700 5th Ave, Suite 2700, Seattle, WA, 98104) Mailing Address: PO Box 94709, Seattle, WA, 98124-4709 Phone: 206-684-0600 Phone Alt: Cable Television Discount: 206-386-1989 (https://www.facebook.com/SeattleITDept/) (https://twitter.com/SeattleITDept) (http://techtalk.seattle.gov/) (tech/about/contact) (http://techtalk.seattle.gov/feed/) (departments) Elected Officials (elected- officials) Open Data Portal (https://data.seattle.gov/) Public Information Requests (public-records) Services & Information (services-and-information) 1.Find discount phones and free internet access (tech/services/internet- access) 2.Learn about Seattle's open data (tech/initiatives/open- data) 3.Who provides discounted internet and computers? (tech/services/internet- access/low-cost-home- internet-access-for- residents) 4.Learn about Seattle's privacy program (tech/initiatives/privacy) 5.View Seattle's residential gigabit broadband availability (tech/initiatives/broadband/gigabit- availability) © Copyright 1995-2019 City of Seattle About Our Digital Properties (digital) Privacy Policy (tech/initiatives/privacy/about-the-privacy-program) Notice of Nondiscrimination (civilrights/civil-rights/title-vi- notice-of-nondiscrimination) ADA Notice (americans-with-disabilities-act) City of Seattle Privacy Principles The City of Seattle collects personal information from the public so that we can provide many important services including community and critical infrastructure protection, 911 call response, waste management, electricity delivery and other services. We work to find a fair balance between gathering information to provide needed services and protecting the public’s privacy. While privacy laws protect some personal information, the information we collect becomes a government record that others can ask to see through public records requests. Therefore, it is important for you to know when and how your personal information is collected, how we use it, how we disclose it and how long we keep it. The following Privacy Principles guide the actions we take when collecting and using your personal information: We value your privacy… Keeping your personal information private is very important. We consider potential risks to your privacy and the public’s well-being before collecting, using and disclosing your personal information. We collect and keep only what we need… We only collect information that we need to deliver City services and keep it as long as we are legally required and to deliver those services. Whenever possible, we tell you when we are collecting this information. How we use your information… When possible, we make available information about the ways we use your personal information at the time we collect it. We commit to giving you a choice whenever possible about how we use your information. We are accountable… We are responsible for managing your personal information in a manner that is consistent with our commitments and as required by law. We protect your personal information by restricting unauthorized access and by securing our computing resources from threats. How we share your information… We follow federal and state laws about information disclosure whenever we work with outside governmental agencies and in answering Public Disclosure Requests (PDRs). Business partners and contracted vendors who receive or collect personal information from us or for us to deliver City services must agree to our privacy requirements. Accuracy is important… We work to maintain and use accurate personal information for City business. When practical, we will work to correct inaccurate personal information. We also direct our partners and contracted vendors to follow the same guidelines. 1 2 3 4 5 6