In 2015 a man named Alastair Mactaggart had a conversation with a friend of his, a Google engineer, about the amount of data Google had on people. The more he thought about it, the more concerned he became. Through his efforts, the California Consumer Privacy Act, also known as the california privacy law, was signed into law by California Governor Jerry Brown in June of 2018.
Sec 2, (i) States:
Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
A few words about data collection and sale
When you start your Facebook account, or sign up for a Gmail account, you might be inclined to believe that you are the customer of that company. Traditionally, using a company’s services does make you the customer and as such, you have an amount of power. As a customer at a grocery store, the store wants you to have a pleasant shopping experience. They might also like you to feel you got a quality product at a fair price. They train their staff to be courteous and helpful. When there is strife, a manager is always available to resolve your problem to the best of their ability. They do this to build a relationship with you, the customer. If you are happy with this store, you will shop there more frequently. You may drive past other stores to shop there. You may even tell your friends and co-workers about how much you like this particular grocery store. That’s good for business, and the store depends on it to STAY in business. If it upsets too many customers with poor service, high prices, or lack of options, fewer people shop there and worse, they tell their friends and co-workers how terrible that store is which is very bad for business. The bottom line is that you and your opinion matter very much to the grocery store and they are willing to go to great lengths to make and keep you happy.
With a company like Facebook though, we don’t actually pay for our account, do we? Facebook provides a platform where you can connect with friends and family, share photos and video, and share your feelings and opinions on anything. So why do they spend so much time and effort providing us this platform if they will never collect any money from us? Because we are not the customer in this transaction, we are the product! We give them vast amounts of personal information. Some we give purposely, “I’m at Vail Ski Resort Having the time of my life!” or “Does anyone have a recommendation for a good grout removal tool? I’m about to start renovating the downstairs bathroom!”. Other information they put together from small bits of separate information that form a bigger picture. For instance, a company called Cambridge Analytica collected 50 million raw profiles to determine their political leanings and sold that information to political campaigns who could then directly advertise to try to sway voters.
Through the many products it provides people, free of cost, Google collects incredible amounts of data on you. Consider what is given to them through Gmail, your internet searches on Chrome, your movements through Maps, your schedule through their Calendars, what type of files you use on Drive, your photos, and the videos you like to watch or upload on YouTube!
Companies collect your information and sell it for a profit. Until recently, you didn’t even have the right to know what they had on you. With these and most other “free” applications, YOU are the product. Advertisers are the customer. Your only recourse if you have a problem with what a company is doing, is to stop using their service! Even if you do cancel your account, the company is usually under no obligation to delete your information.
Companies do divulge some information on how they use your data. You just need to read their Terms of Service. For instance, Facebook’s Terms of Service is 3,224 words long, with another 4,144 words in its Data Policy “which you must agree to in order to use our Products” they say.
Google’s Terms of Service is a mere 1869 words with another 4,000 words and 4 helpful videos in its privacy policy.
I have never met anyone that has read through these cumbersome documents, have you?
Assess your CCPA compliance
The goals of CCPA: Transparency, Control, Accountability
Transparency: What information was or will be collected?
This is covered by rights 1, 2, and 4
(1) The right of Californians to know what personal information is being collected about them.
– If a business is going to collect information about you, they must inform consumers as to the categories of personal information to be collected and the purposes for which the personal information shall be used, all of which must take place at or before the point of collection. If the business wants to collect information on other categories, they must provide notice.
– This also covers your right to know what personal information the business has collected on you by category AND specific pieces of information, upon your request. They are obligated to verify the request in order to avoid giving the information to unauthorized parties, but if a verified request is made, the business shall promptly take steps to disclose and deliver, free of charge, the personal information they have collected (with a few exceptions regarding ‘one-time-use’ information).
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
-If a company sold your personal information, upon a verified request, they must provide “The business or commercial purpose for collecting or selling personal information and the categories of third parties with whom the business shares personal information. It does NOT appear to require they divulge the NAME of the businesses it sold your personal information to, just the category of business it sold your information to. This may be to protect the business from competitors gaining unfair insight into their operations.
(4) The right of Californians to access their personal information.
-Companies are required to make two or more designated methods for submitting requests for information available including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
-Requests for information by consumers, once verified, must be fulfilled within 45 days. The company can inform you during that 45 days that they are extending the deadline by 45 day more if they deem it necessary.
-The information requested must be delivered in a readily useable format that allows you to transmit this information from one entity to another entity without hindrance.
-The business may not require the consumer to create an account with the business in order to make a verifiable request.
Control: Stop selling or delete my information!
Right number 3 Covers this one
(3) The right of Californians to say no to the sale of personal information.
-A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
-A consumer shall also have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. There are quite a few caveats to this one, but they seem to be common sense exceptions.
-Businesses that this applies to must provide a conspicuous link on their homepage titled “Do Not Sell My Personal Information,”.
Accountability: Keep my info safe!
-If a business loses your personal information, the law provides the ability for a civil action to recover damages between $100 and $750 per consumer per incident OR actual damages if they are greater. To put that in perspective, the 2017 Equifax breach lost the data of 143,000,000 Americans. That would have cost them a minimum of $14.3 billion dollars under this law!
-Intentional violations of this law may be liable for a $7,500 fine per violation.
Non-reprisal: Don’t punish me for opting out!
This is right number 5
5) The right of Californians to equal service and price, even if they exercise their privacy rights.
– A business shall not discriminate against a consumer because the consumer exercised any of their rights under this law. In other words, if you opt out or ask for information under this law, the business can’t:
– Deny goods or services to the consumer.
– Charge different prices or rates for goods or services, including through the use of discounts or other benefits or impose penalties.
– Provide a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
– Suggest that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
– A business is not prohibited from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
– A business may offer to compensate you for the sale of your personal information
With the california data protection law in place, it brings transparency, control, and accountability which will help the consumer greatly moving forward.
Implementation of CCPA
The ccpa california privacy law goes into effect on January 1, 2020, although The Attorney General may not bring an enforcement action under CCPA until six months after adoption of those regulations, or July 1, 2020, whichever is sooner.
It is definitely not too early to start addressing compliance if you are a business this law applies to. Some of the provisions in CCPA will require entirely new processes to be put in place.
In Summary
Whether you are a consumer or a business that deals with consumer personal information, CCPA (california data privacy law 2018) affects us all. If you are a business in need of assistance preparing for CCPA implementation, don’t hesitate to reach out for expert security or CCPA advice. RSI Security can help.
Our California Consumer Protection Act (CCPA) services include:
- CCPA audit and assessment services (covering required and addressable technical, physical, and administrative safeguards for the personal data environment)
- Personal Data Mapping and Inventory
- Privacy by Design Program
- Privacy Impact Assessment
- Incident and Data Breach response planning
- Network Penetration Testing
- Vulnerability Scanning
- Enterprise Privacy Risk Assessment
- Personal Data Security Awareness and Training
Visit us at https://www.rsisecurity.com/compliance-advisory-services/ccpa/
Stay Secure!
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.