SlideShare une entreprise Scribd logo

CCPA: What You Need to Know

IronCore Labs
IronCore Labs

A white-paper on California's Data Privacy Initiative

Business
1  sur  13
Télécharger pour lire hors ligne
CCPA:WHATYOUNEEDTOKNOW A white paper on California’s new data privacy law
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 2 CCPA: What you need to know CONTENTS Executive Summary.................................................................................................................3 Does it even matter?....................................................................................................................3 What does it do?...........................................................................................................................4 What are the penalties?..............................................................................................................4 What businesses are impacted?.............................................................................................. 5 Detailed Breakdown................................................................................................................5 Consumer Rights......................................................................................................................... 5 Sensitive Data............................................................................................................................... 6 Consumers Covered................................................................................................................... 6 Businesses Covered................................................................................................................... 6 Obligations of a Covered Business.........................................................................................7 Enforcement / Penalties............................................................................................................. 9 Civil Penalties.............................................................................................................................9 Private Right of Action.............................................................................................................9 Exemptions / Exceptions...........................................................................................................10 Data Security Example..........................................................................................................10 Global Context.......................................................................................................................12 Further Reading..................................................................................................................... 13
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 3 CCPA: What you need to know DISCLAIMER: This is not legal advice and does not substitute for it. EXECUTIVE SUMMARY The California Consumer Privacy Act (aka CCPA or AB 375) of 2018 shot through the Cali- fornia legislature in seven days. It was going to be on the November ballot and legislators feared it would become law without any opportunity for stakeholders (lobbyists and such) to weigh in and help shape it. The sponsors of the initiative agreed to take it off the ballot if the legislature would pass the bill within a deadline. They did. In the process, they wa- tered parts down, such as the elimination of rewards for whistle-blowers. Does it even matter? For many businesses, this law does not apply. For the rest, it either may cease to exist or may be radically watered down. The California law is under attack on a number of fronts. Now that it is law, it’s being actively amended. Large tech companies like Facebook, who spent $200,000 to try to stop the law despite publicly declaring to be in favor of it, are now trying to weaken it in these amendments. They are also trying to get the California Attorney General to issue rules that undercut the core principles and size of the penalties, for example by defining a “violation” as being per event rather than per person per event. These same companies are also pushing the U.S. Congress to enact a privacy law that preempts the California one. Even in a divided Wash- ington, there’s a good chance that we have a Federal law before January 1st, 2020, which is when the California law is scheduled to take effect. The big question is what shape such a law would take. Certainly there is a big push to make the law much more business friendly and much less protective of consumer privacy. The provisions around fines, around amount of disclosure, and around portability are all under attack. Despite the uncertainties, work towards CCPA compliance has to start now. Specifically, all sales of data must be tracked for 12 months before the law takes effect, which means beginning January 1st, 2019. Big tech companies aren’t exactly D.C. darlings at the moment. They might manage to preempt the California law with a toothless one, but it’s a risky bet. big tech companies aren’t exactly D.C. darlings at the moment
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 4 CCPA: What you need to know What does it do? Although CCPA has been described as GDPR-light, it is in no way light on requirements or penalties. CCPA is focused on these core principles: 1. Transparency: consumers get to know what data is collected and for what pur- pose(s). If the data is sold or shared, they get to know the details of what and to whom. Consumers even get to know if a company has sold any data to anyone in the last 12 months. 2. Control: consumers get the right to opt-out (or opt-in for minors) of the sale of their data, the right to see the data, the right to have it erased, and, perhaps most signifi- cantly, the right to privately sue for damages if a company fails on any point. 3. Data security: companies are liable for both fines and civil suits (individual or in classes) for any personal information that they fail to protect from hackers or other misuse (ie, internal employees looking at data they shouldn’t without a business purpose). It’s worth noting that the data security provi- sions were added when, in the middle of writ- ing the bill, the Equifax breach came to light and it became clear that Equifax was reserving about $2 per person affected to deal with it and, in all likelihood, would make money off the breach by offering credit monitoring to their affected customers with a free introduc- tory period that turned to a paid subscription. What are the penalties? If a company does not adhere to the consumer rights in the bill, they can be fined $2,500 per violation, which the writers of the law intended to mean to be per person per incident. There are provisions for this to be adjusted down in some cases and at the discretion of the AG. If the violations are found to be willful, like if executives intentionally decided not to disclose a sale of data (versus an accidental omission), then the penalty can be up to $7,500 per violation. A company that intentionally sells the data of 50,000 consumers and willfully fails to disclose that fact, would face a $375 million fine. If a business is breached, a private right of action is given to consumers to sue for the
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 5 CCPA: What you need to know greater of actual damages, or an amount between $100 and $750 per record. In the case of the Equifax breach, where 148 million consumers (56% of American adults) were impacted, a theoretical class action suit would result in damage awards starting at $14.8 billion and could go as high as $111 billion -- except in practice, only California residents could bring suit. So with 40 million residents, 31 million adults, and assuming only 56% of those were impacted, the highest amount Equifax would pay would be $13.1 billion, which is quite a bit more than the $300 million they set aside. What businesses are impacted? The law is generally aimed at two classes of businesses: 1. Data brokers: companies that either make a majority of their revenue by selling personal information of consumers or that trade (buy or sell) more than 50,000 records per year. 2. Large companies: companies with greater than $25 million in annual gross reve- nues. That means that the vast majority of small and mid-size businesses, including most tech startups, can skate by for now. DETAILED BREAKDOWN As always, the devil is in the details. This is not meant to be a comprehensive list of de- tails, but rather a survey of the most interesting parts of the law. Consumer Rights • Right to deletion: A consumer can request a business deletes their personal infor- mation and barring a good reason not to, the business must comply. • Right to know details: A consumer has the right to know exactly what data is col- lected both in specifics and in terms of the categories of data held. • Right to know source: A consumer may learn the categories of sources from which the data was obtained. • Right to know purpose: A consumer has the right to know the purpose for why data is collected, why it is being sold, and how it will be used.
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 6 CCPA: What you need to know • Right to know sharing: A consumer has the right to know with whom their data is shared • Right to portability: A consumer may request a copy of their data and it must be provided in a portable and readily usable format. Unlike with GDPR, a company cannot charge for this. • Right to private action: A consumer has the right to sue a company for non-compli- ance. • Right to opt out: A consumer has the right to opt out of the sale of their personal information. For children 16 years old or younger, they or a guardian must first opt- in before their data can be sold. • Right of opt-out delegation: A consumer may enlist a third-party person or organi- zation to request opt out on their behalf. Sensitive Data Under CCPA, almost any data related to a consumer is considered to be personal infor- mation. Additionally, the list of information that is considered to be identifiable is long. Personal information includes real name, alias, online identifier, IP address, email address, health information, financial information, social security numbers, location information, biometric data, audio and visual data (pho- tos, recordings), ac- tivity information and history data, and any inferences that can be made from any of this information. Consumers Covered All residents of California. Unclear, but may also apply to visitors while they’re in state. Businesses Covered Applies to businesses in California, those that process information or buy or sell it in Cal- ifornia, and those that hold the data of residents of California. More broadly: if any part of a business or its customer base crosses into California, the law applies. the vast majority of small and mid-size businesses, including most tech startups, can skate by for now
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 7 CCPA: What you need to know That said, a company must meet any one of a set of criteria before most of the provisions of the law kick in: • Large company: gross revenues over $25 million; or • Data broker: annually obtains, sells, or shares personal information of 50,000 con- sumers or more; or • Data vendor: derives more than half of its revenue from selling personal informa- tion. These qualifiers effectively exempt most small businesses and tech startups from the various provisions. Obligations of a Covered Business For large businesses, it’s likely that they’ve already undergone GDPR compliance efforts. With the exception of some very specific details like required home page links and cat- egorizations of information and partners, these companies should have very little incre- mental work. That said, there are a number of key obligations that covered businesses must meet: 1. Disclosure of rights: on websites and in privacy policies, companies must disclose the consumer rights in a way that is “reasonably accessible to consumers” (ie, not buried in legal docs alone). This includes disclosing the rights to delete, to ask for data, to opt-out, etc. 2. Disclosure of data use: at or before the point of collection, companies must inform consumers as to the categories of personal data to be collected and the purposes for which each category of personal data will be used, including the specifics of which information will be shared or disclosed, including the categories of partners that it will be shared with and the business purpose for the sharing. 3. Disclosure of data sales: even if information is no longer being sold and policies around sharing of information have changed, a company must update their privacy policy every 12 months to disclose any personal information that was sold in the preceding 12 months or to expressly state that no data was sold if that’s the case. 4. Respond to information requests: via at least two different methods in which one must, at a minimum, be a toll free telephone number and, if applicable, a web address. A response to a request for copies of personal information being held
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 8 CCPA: What you need to know must be prompt and free of charge unless the requests are unfounded or exces- sive. Material must be provided in a portable and readily usable format. Company has 45 days to provide the data and may, with written notice, gain a single 45 day extension. A request for data must not require account creation. 5. Respond to erasure requests: and cascade those requests through to any service providers so they, too, delete the consumer’s records. 6. No resale: of any personal information that was obtained through a third-party may not be resold or shared unless the consumer has received explicit notice and is given the opportunity to opt out. 7. Provide opt-out: so consumers can elect to not have their data sold or shared. Cannot discriminate against consumers who opt out by denying them goods or ser- vices or by providing a different level of quality or by charing different prices unless the data is expressly needed to provide the product or service. A clear and conspicuous link on the business’s home page must exist and be titled, “Do Not Sell My Personal Information.” That link must allow a consumer to opt out without creating an account. Note 1: this calls into question the practice of making someone give their name and email before they can download a white paper. Note 2: a business may keep information that is needed in order to honor an opt- out request. 8. No nagging: opt out requests must be honored for 12 months before asking the consumer to reconsider. 9. Contracts with 3rd-parties: with whom personal information is shared must be updated to forbid the selling of information that is held on behalf of the company. It must forbid any use of the data outside of the specific business purpose of the relationship. The 3rd-party must sign a separate statement expressly certifying that they understand the CCPA regulations and that they are forbidden from using the personal information. 10. Explanations: If any consumer requests are denied, the consumer must be told why. For example, if they didn’t prove their identity or if there’s another reason why the data must not be deleted, that has to reflect back to the consumer. 11. Data protection: procedures and practices must be implemented and maintained to protect personal information from unauthorized access.
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 9 CCPA: What you need to know Enforcement / Penalties Civil Penalties Civil penalties will be pursued by the California Attorney General (AG), who has a high degree of latitude in terms of levels of penalty sought, rule writing, and interpretation. For example, in the case of data security, the law is intentionally vague to allow the definition of “reasonable practices” to evolve over time. If a company is failing to meet the obligations of CCPA, they will first get a warning letter from the AG giving them 30 days to remedy the is- sue. If, after the 30 day period, the non-compliance issues remain, the AG may seek up to $2,500 per violation. The writ- ers of the law intended that to mean per consumer per event, but the final definition will be made by the AG before the law kicks in. If the AG believes the issues to be intentional, then the fines may increase to $7,500 per violation. Any collected fines go into a dedicated Consumer Privacy Fund that will pay for the AG’s efforts in this area. In the case of a data breach, the AG may seek penalties in addition to the private right of action explained below. Private Right of Action Individuals or groups of individuals in a class may directly sue companies who are respon- sible for unauthorized access to their personal information. In other words, if a company is hacked and personal information is stolen, then the ultimate victims of the theft, the individuals’ whose information was stolen, can seek compensation. There are three cases where companies may not be liable: • Encrypted: The accessed data was encrypted • Deidentified: The accessed data was redacted or otherwise deidentified • Well protected: The company had reasonable practices and procedures in place to protect the data. Damages in such a suit will be no less than $100 per record per incident and no more than $750 per record per incident or actual damages if they should be greater. this calls into question the practice of making someone give their name and email before they can download a white paper
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 10 CCPA: What you need to know Exemptions / Exceptions • Consumer verification: A business may deny a request for data or erasure if they are unable to verify that a consumer (or agent of a consumer) making the request is who they say they are. • Conflicting law: A business may retain data that is required to meet Federal laws such as HIPAA and GLBA. • Public records: Any records that are public, such as if they are lawfully made avail- able by Fed/state/local Government (ie, property records) may be retained. • Excessive requests: Need not provide information if a consumer requests info more than twice in 12 months. • Contractual need: Need not delete data that is required to complete a transaction or a contract in an ongoing relationship with the consumer. • Intrusion or fraud detection: Need not delete data if it is required for detection of security incidents or fraud. • 1st amendment: Need not delete data if it would infringe on another consumer’s right to free speech. • Research: Need not delete data that is needed for public interest research. • Law enforcement: Must not delete data that is needed to comply with a legal obli- gation such as a law enforcement request. • Deidentified: Need not delete data that is deidentified or aggregated provided it can’t be re-identified and that the company takes the following measures to ensure that: a) technical safeguards; and b) business processes that prohibit reidentifica- tion; and c) business processes that prevent the release of such data. • Outside California: If data is collected and processed outside of CA and doesn’t pertain to a California resident. Note: can’t hold data on a device until a resident leaves the state and then transmit it. DATA SECURITY EXAMPLE This law very much had Equifax in mind when the data security component was added, per two of the writers of the original law. Since then, much more has come out about the Equifax breach, including the “Equifax Data Breach Report” by the Congressional House
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 11 CCPA: What you need to know Oversight Committee. Equifax is an interesting case study because, by all accounts, they invested quite a bit in security. They had numerous teams including a “Global Threat and Vulnerability Man- agement” team. They had intrusion detection in place, scanners searching for out of date sofware, and more. In the CCPA, the security requirement is to “implement and maintain reasonable secu- rity procedures and practices appropriate to the nature of the information.” They cer- tainly implemented a number of security practices. But they fell down in the main- tenance side. In practice, however, they had numerous lapses. They were slow to respond to new vul- nerabilities, their intrusion detection software had not been working for 19 months, their scans for vulnerable software weren’t configured correctly and were falsely reporting that issues weren’t found. They also didn’t encrypt the sensitive personal information they held on consumers. These things led to the damning conclusion of the Congressional report: “Equifax, how- ever, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.” Sometimes, it’s hard to see how broken a system is until it fails spectacularly. This was an organization who spent a lot on security, but ultimately failed to manage the complexities of their environment. It’s easy to imagine CCPA leading to massive class action awards with penalties in the billions for this mismanagement. sometimes it’s hard to see how broken a system is until it fails spectacularly
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 12 CCPA: What you need to know GLOBAL CONTEXT Blue - Comprehensive Data Protection Law Enacted (118:99 UN/19 self gov) Red - Pending Bill or Initiative to Enact Law (36/3) White - No initiatives or no information (58) National Comprehensive Data Protection/Privacy Laws and Bills 2018 BS LC TT VC CV HK JM MU MT AD MC SM MO TW DB IS SC IM GG JE GI SG FO CY VG BB KY DM QA FO KN CR DO SV BM David Banisar September 2018 SX CW BQ GD AG ST AD AX AW GT HN MS BN SH LB NI PA EG BH BZ California’s newest privacy law is just one of many. Over 100 countries have enacted data privacy laws and dozens more have legislation pending. Despite the map above, the U.S. does have pending data privacy legisltation, and that’s in addition to a patchwork of laws with privacy requirements for the handling of health care data (HIPAA), financial data of public companies (SOX), data on students (FERPA), children (COPPA), and more. For companies who have customers that operate around the world, the complexity of complying with these laws is daunting and getting worse almost daily. At a macro level, the overriding theme of these laws is putting the control of a consumer’s data into the hands of the consumer so that they know how their data is used and can ob- ject to it. In this way, CCPA is unexceptional. Another common theme is the requirement to protect the data from being exposed to unauthorized people. In nearly every case, there is a specific clause that calls out the idea that a company has not lost data if the thieves can only see it in encrypted form. Which is why stories like the Equifax story are so sur- prising. Why didn’t Equifax encrypt the data? There were over 30 things they screwed up, any of which could have prevented, detected, or blocked the attack. The simplest and most obvious is encryption.
© IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 13 CCPA: What you need to know FURTHER READING Alastair Mactaggart and Ashkan Soltani, two of the folks most responsible for making CCPA happen, maintain a website that’s all about CCPA and the ongoing battles: https://www.caprivacy.org/ If you’d like to read the actual bill, you’ll need to first read the bill that passed in Summer 2018, and then read each of the amendments. For the moment, only one has been made law. These two links are the ones to dig into: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121

Recommandé

Spokeo v Robins
Spokeo v RobinsSpokeo v Robins
Spokeo v RobinsTumi Atolagbe, CIPP/E, MBCS
 
Saying no to the government
Saying no to the governmentSaying no to the government
Saying no to the governmentguest70f067f
 
ILC Cyber Report - June 2018
ILC Cyber Report - June 2018ILC Cyber Report - June 2018
ILC Cyber Report - June 2018Internet Law Center
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsBradley Buchanan
 
Social Media and the Law
Social Media and the LawSocial Media and the Law
Social Media and the LawChristina Gagnier
 
Tech Week Chicago 2012: Law & Social Data
Tech Week Chicago 2012: Law & Social DataTech Week Chicago 2012: Law & Social Data
Tech Week Chicago 2012: Law & Social DataAdler Law Group
 
Wills and estates law in the digital age
Wills and estates law in the digital ageWills and estates law in the digital age
Wills and estates law in the digital ageClio - Cloud-Based Legal Technology
 
Silicon Valley companies will receive more freedom to disclose data requests ...
Silicon Valley companies will receive more freedom to disclose data requests ...Silicon Valley companies will receive more freedom to disclose data requests ...
Silicon Valley companies will receive more freedom to disclose data requests ...illustriousacne45
 

Recommandé

Spokeo v Robins
Spokeo v RobinsSpokeo v Robins
Spokeo v RobinsTumi Atolagbe, CIPP/E, MBCS
 
Saying no to the government
Saying no to the governmentSaying no to the government
Saying no to the governmentguest70f067f
 
ILC Cyber Report - June 2018
ILC Cyber Report - June 2018ILC Cyber Report - June 2018
ILC Cyber Report - June 2018Internet Law Center
 
Data Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsData Mining: Privacy and Concerns
Data Mining: Privacy and ConcernsBradley Buchanan
 
Social Media and the Law
Social Media and the LawSocial Media and the Law
Social Media and the LawChristina Gagnier
 
Tech Week Chicago 2012: Law & Social Data
Tech Week Chicago 2012: Law & Social DataTech Week Chicago 2012: Law & Social Data
Tech Week Chicago 2012: Law & Social DataAdler Law Group
 
Wills and estates law in the digital age
Wills and estates law in the digital ageWills and estates law in the digital age
Wills and estates law in the digital ageClio - Cloud-Based Legal Technology
 
Silicon Valley companies will receive more freedom to disclose data requests ...
Silicon Valley companies will receive more freedom to disclose data requests ...Silicon Valley companies will receive more freedom to disclose data requests ...
Silicon Valley companies will receive more freedom to disclose data requests ...illustriousacne45
 
Smartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellasSmartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellasGeoBellas
 
1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from Misuse1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from MisuseWendi Lazar
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...RominaMariaBaltariu
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationArmstrong Teasdale
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Social Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social MediaSocial Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social MediaShawn Tuma
 
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...Shawn Tuma
 
Big data: legal firms play ‘Moneyballʼ
Big data: legal firms play ‘Moneyballʼ Big data: legal firms play ‘Moneyballʼ
Big data: legal firms play ‘Moneyballʼ LUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1James Williams
 
The regulatory environment of electronic commerce
The regulatory environment of electronic commerceThe regulatory environment of electronic commerce
The regulatory environment of electronic commerceWisnu Dewobroto
 
Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”IDology, Inc
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Legal Matters in E-commerce
Legal Matters in E-commerceLegal Matters in E-commerce
Legal Matters in E-commerceE-commerce Course of Boğaziçi University
 
Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?Maxx Cook
 
Apple Report Privacy of its Users
Apple Report Privacy of its UsersApple Report Privacy of its Users
Apple Report Privacy of its UsersAmalist Client Services
 
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011Kimberly Verska
 
Rockstar-v-google-pdf
Rockstar-v-google-pdfRockstar-v-google-pdf
Rockstar-v-google-pdfGreg Sterling
 
Legal social ethical
Legal social ethicalLegal social ethical
Legal social ethicalSheetal Verma
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 

Contenu connexe

Tendances

Smartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellasSmartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellasGeoBellas
 
1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from Misuse1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from MisuseWendi Lazar
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...RominaMariaBaltariu
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationArmstrong Teasdale
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Social Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social MediaSocial Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social MediaShawn Tuma
 
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...Shawn Tuma
 
Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1James Williams
 
The regulatory environment of electronic commerce
The regulatory environment of electronic commerceThe regulatory environment of electronic commerce
The regulatory environment of electronic commerceWisnu Dewobroto
 
Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”IDology, Inc
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?Maxx Cook
 
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011Kimberly Verska
 
Rockstar-v-google-pdf
Rockstar-v-google-pdfRockstar-v-google-pdf
Rockstar-v-google-pdfGreg Sterling
 
Legal social ethical
Legal social ethicalLegal social ethical
Legal social ethicalSheetal Verma
 

Tendances (20)

Smartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellasSmartphones are smarter than you thought geo bellas
Smartphones are smarter than you thought geo bellas
 
1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from Misuse1984 in 2015 Protecting Employees' Social Media from Misuse
1984 in 2015 Protecting Employees' Social Media from Misuse
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities Presentation
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
Social Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social MediaSocial Media Law: The Legal Do's and Don'ts of Social Media
Social Media Law: The Legal Do's and Don'ts of Social Media
 
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business - ...
 
Big data: legal firms play ‘Moneyballʼ
Big data: legal firms play ‘Moneyballʼ Big data: legal firms play ‘Moneyballʼ
Big data: legal firms play ‘Moneyballʼ
 
Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1Privacy and Access to Information Law - Lecture 1
Privacy and Access to Information Law - Lecture 1
 
The regulatory environment of electronic commerce
The regulatory environment of electronic commerceThe regulatory environment of electronic commerce
The regulatory environment of electronic commerce
 
Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”Age Verification / “Doing the Right Thing”
Age Verification / “Doing the Right Thing”
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technology
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
Legal Matters in E-commerce
Legal Matters in E-commerceLegal Matters in E-commerce
Legal Matters in E-commerce
 
Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?Paradise by the DASHBOARD Act?
Paradise by the DASHBOARD Act?
 
Apple Report Privacy of its Users
Apple Report Privacy of its UsersApple Report Privacy of its Users
Apple Report Privacy of its Users
 
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
 
Rockstar-v-google-pdf
Rockstar-v-google-pdfRockstar-v-google-pdf
Rockstar-v-google-pdf
 
Legal social ethical
Legal social ethicalLegal social ethical
Legal social ethical
 

Similaire à CCPA: What You Need to Know

Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationChristina Gagnier
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data BreachShawn Tuma
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...anthonywong
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveCraig Mullins
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityRachel Hamilton
 

Similaire à CCPA: What You Need to Know (20)

Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago Presentation
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
Cyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive DiscussionCyber security legal and regulatory environment - Executive Discussion
Cyber security legal and regulatory environment - Executive Discussion
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...Legal Perspective on Information Management “New Social Media – The New Recor...
Legal Perspective on Information Management “New Social Media – The New Recor...
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 
The Changing Landscape of Cyber Liability
The Changing Landscape of Cyber LiabilityThe Changing Landscape of Cyber Liability
The Changing Landscape of Cyber Liability
 

Plus de IronCore Labs

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationIronCore Labs
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeIronCore Labs
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppIronCore Labs
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)IronCore Labs
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentationIronCore Labs
 

Plus de IronCore Labs (7)

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC Presentation
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a Time
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular Application
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React App
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentation
 

Dernier

Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 

Dernier (20)

Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 

CCPA: What You Need to Know

  • 1. CCPA:WHATYOUNEEDTOKNOW A white paper on California’s new data privacy law
  • 2. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 2 CCPA: What you need to know CONTENTS Executive Summary.................................................................................................................3 Does it even matter?....................................................................................................................3 What does it do?...........................................................................................................................4 What are the penalties?..............................................................................................................4 What businesses are impacted?.............................................................................................. 5 Detailed Breakdown................................................................................................................5 Consumer Rights......................................................................................................................... 5 Sensitive Data............................................................................................................................... 6 Consumers Covered................................................................................................................... 6 Businesses Covered................................................................................................................... 6 Obligations of a Covered Business.........................................................................................7 Enforcement / Penalties............................................................................................................. 9 Civil Penalties.............................................................................................................................9 Private Right of Action.............................................................................................................9 Exemptions / Exceptions...........................................................................................................10 Data Security Example..........................................................................................................10 Global Context.......................................................................................................................12 Further Reading..................................................................................................................... 13
  • 3. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 3 CCPA: What you need to know DISCLAIMER: This is not legal advice and does not substitute for it. EXECUTIVE SUMMARY The California Consumer Privacy Act (aka CCPA or AB 375) of 2018 shot through the Cali- fornia legislature in seven days. It was going to be on the November ballot and legislators feared it would become law without any opportunity for stakeholders (lobbyists and such) to weigh in and help shape it. The sponsors of the initiative agreed to take it off the ballot if the legislature would pass the bill within a deadline. They did. In the process, they wa- tered parts down, such as the elimination of rewards for whistle-blowers. Does it even matter? For many businesses, this law does not apply. For the rest, it either may cease to exist or may be radically watered down. The California law is under attack on a number of fronts. Now that it is law, it’s being actively amended. Large tech companies like Facebook, who spent $200,000 to try to stop the law despite publicly declaring to be in favor of it, are now trying to weaken it in these amendments. They are also trying to get the California Attorney General to issue rules that undercut the core principles and size of the penalties, for example by defining a “violation” as being per event rather than per person per event. These same companies are also pushing the U.S. Congress to enact a privacy law that preempts the California one. Even in a divided Wash- ington, there’s a good chance that we have a Federal law before January 1st, 2020, which is when the California law is scheduled to take effect. The big question is what shape such a law would take. Certainly there is a big push to make the law much more business friendly and much less protective of consumer privacy. The provisions around fines, around amount of disclosure, and around portability are all under attack. Despite the uncertainties, work towards CCPA compliance has to start now. Specifically, all sales of data must be tracked for 12 months before the law takes effect, which means beginning January 1st, 2019. Big tech companies aren’t exactly D.C. darlings at the moment. They might manage to preempt the California law with a toothless one, but it’s a risky bet. big tech companies aren’t exactly D.C. darlings at the moment
  • 4. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 4 CCPA: What you need to know What does it do? Although CCPA has been described as GDPR-light, it is in no way light on requirements or penalties. CCPA is focused on these core principles: 1. Transparency: consumers get to know what data is collected and for what pur- pose(s). If the data is sold or shared, they get to know the details of what and to whom. Consumers even get to know if a company has sold any data to anyone in the last 12 months. 2. Control: consumers get the right to opt-out (or opt-in for minors) of the sale of their data, the right to see the data, the right to have it erased, and, perhaps most signifi- cantly, the right to privately sue for damages if a company fails on any point. 3. Data security: companies are liable for both fines and civil suits (individual or in classes) for any personal information that they fail to protect from hackers or other misuse (ie, internal employees looking at data they shouldn’t without a business purpose). It’s worth noting that the data security provi- sions were added when, in the middle of writ- ing the bill, the Equifax breach came to light and it became clear that Equifax was reserving about $2 per person affected to deal with it and, in all likelihood, would make money off the breach by offering credit monitoring to their affected customers with a free introduc- tory period that turned to a paid subscription. What are the penalties? If a company does not adhere to the consumer rights in the bill, they can be fined $2,500 per violation, which the writers of the law intended to mean to be per person per incident. There are provisions for this to be adjusted down in some cases and at the discretion of the AG. If the violations are found to be willful, like if executives intentionally decided not to disclose a sale of data (versus an accidental omission), then the penalty can be up to $7,500 per violation. A company that intentionally sells the data of 50,000 consumers and willfully fails to disclose that fact, would face a $375 million fine. If a business is breached, a private right of action is given to consumers to sue for the
  • 5. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 5 CCPA: What you need to know greater of actual damages, or an amount between $100 and $750 per record. In the case of the Equifax breach, where 148 million consumers (56% of American adults) were impacted, a theoretical class action suit would result in damage awards starting at $14.8 billion and could go as high as $111 billion -- except in practice, only California residents could bring suit. So with 40 million residents, 31 million adults, and assuming only 56% of those were impacted, the highest amount Equifax would pay would be $13.1 billion, which is quite a bit more than the $300 million they set aside. What businesses are impacted? The law is generally aimed at two classes of businesses: 1. Data brokers: companies that either make a majority of their revenue by selling personal information of consumers or that trade (buy or sell) more than 50,000 records per year. 2. Large companies: companies with greater than $25 million in annual gross reve- nues. That means that the vast majority of small and mid-size businesses, including most tech startups, can skate by for now. DETAILED BREAKDOWN As always, the devil is in the details. This is not meant to be a comprehensive list of de- tails, but rather a survey of the most interesting parts of the law. Consumer Rights • Right to deletion: A consumer can request a business deletes their personal infor- mation and barring a good reason not to, the business must comply. • Right to know details: A consumer has the right to know exactly what data is col- lected both in specifics and in terms of the categories of data held. • Right to know source: A consumer may learn the categories of sources from which the data was obtained. • Right to know purpose: A consumer has the right to know the purpose for why data is collected, why it is being sold, and how it will be used.
  • 6. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 6 CCPA: What you need to know • Right to know sharing: A consumer has the right to know with whom their data is shared • Right to portability: A consumer may request a copy of their data and it must be provided in a portable and readily usable format. Unlike with GDPR, a company cannot charge for this. • Right to private action: A consumer has the right to sue a company for non-compli- ance. • Right to opt out: A consumer has the right to opt out of the sale of their personal information. For children 16 years old or younger, they or a guardian must first opt- in before their data can be sold. • Right of opt-out delegation: A consumer may enlist a third-party person or organi- zation to request opt out on their behalf. Sensitive Data Under CCPA, almost any data related to a consumer is considered to be personal infor- mation. Additionally, the list of information that is considered to be identifiable is long. Personal information includes real name, alias, online identifier, IP address, email address, health information, financial information, social security numbers, location information, biometric data, audio and visual data (pho- tos, recordings), ac- tivity information and history data, and any inferences that can be made from any of this information. Consumers Covered All residents of California. Unclear, but may also apply to visitors while they’re in state. Businesses Covered Applies to businesses in California, those that process information or buy or sell it in Cal- ifornia, and those that hold the data of residents of California. More broadly: if any part of a business or its customer base crosses into California, the law applies. the vast majority of small and mid-size businesses, including most tech startups, can skate by for now
  • 7. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 7 CCPA: What you need to know That said, a company must meet any one of a set of criteria before most of the provisions of the law kick in: • Large company: gross revenues over $25 million; or • Data broker: annually obtains, sells, or shares personal information of 50,000 con- sumers or more; or • Data vendor: derives more than half of its revenue from selling personal informa- tion. These qualifiers effectively exempt most small businesses and tech startups from the various provisions. Obligations of a Covered Business For large businesses, it’s likely that they’ve already undergone GDPR compliance efforts. With the exception of some very specific details like required home page links and cat- egorizations of information and partners, these companies should have very little incre- mental work. That said, there are a number of key obligations that covered businesses must meet: 1. Disclosure of rights: on websites and in privacy policies, companies must disclose the consumer rights in a way that is “reasonably accessible to consumers” (ie, not buried in legal docs alone). This includes disclosing the rights to delete, to ask for data, to opt-out, etc. 2. Disclosure of data use: at or before the point of collection, companies must inform consumers as to the categories of personal data to be collected and the purposes for which each category of personal data will be used, including the specifics of which information will be shared or disclosed, including the categories of partners that it will be shared with and the business purpose for the sharing. 3. Disclosure of data sales: even if information is no longer being sold and policies around sharing of information have changed, a company must update their privacy policy every 12 months to disclose any personal information that was sold in the preceding 12 months or to expressly state that no data was sold if that’s the case. 4. Respond to information requests: via at least two different methods in which one must, at a minimum, be a toll free telephone number and, if applicable, a web address. A response to a request for copies of personal information being held
  • 8. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 8 CCPA: What you need to know must be prompt and free of charge unless the requests are unfounded or exces- sive. Material must be provided in a portable and readily usable format. Company has 45 days to provide the data and may, with written notice, gain a single 45 day extension. A request for data must not require account creation. 5. Respond to erasure requests: and cascade those requests through to any service providers so they, too, delete the consumer’s records. 6. No resale: of any personal information that was obtained through a third-party may not be resold or shared unless the consumer has received explicit notice and is given the opportunity to opt out. 7. Provide opt-out: so consumers can elect to not have their data sold or shared. Cannot discriminate against consumers who opt out by denying them goods or ser- vices or by providing a different level of quality or by charing different prices unless the data is expressly needed to provide the product or service. A clear and conspicuous link on the business’s home page must exist and be titled, “Do Not Sell My Personal Information.” That link must allow a consumer to opt out without creating an account. Note 1: this calls into question the practice of making someone give their name and email before they can download a white paper. Note 2: a business may keep information that is needed in order to honor an opt- out request. 8. No nagging: opt out requests must be honored for 12 months before asking the consumer to reconsider. 9. Contracts with 3rd-parties: with whom personal information is shared must be updated to forbid the selling of information that is held on behalf of the company. It must forbid any use of the data outside of the specific business purpose of the relationship. The 3rd-party must sign a separate statement expressly certifying that they understand the CCPA regulations and that they are forbidden from using the personal information. 10. Explanations: If any consumer requests are denied, the consumer must be told why. For example, if they didn’t prove their identity or if there’s another reason why the data must not be deleted, that has to reflect back to the consumer. 11. Data protection: procedures and practices must be implemented and maintained to protect personal information from unauthorized access.
  • 9. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 9 CCPA: What you need to know Enforcement / Penalties Civil Penalties Civil penalties will be pursued by the California Attorney General (AG), who has a high degree of latitude in terms of levels of penalty sought, rule writing, and interpretation. For example, in the case of data security, the law is intentionally vague to allow the definition of “reasonable practices” to evolve over time. If a company is failing to meet the obligations of CCPA, they will first get a warning letter from the AG giving them 30 days to remedy the is- sue. If, after the 30 day period, the non-compliance issues remain, the AG may seek up to $2,500 per violation. The writ- ers of the law intended that to mean per consumer per event, but the final definition will be made by the AG before the law kicks in. If the AG believes the issues to be intentional, then the fines may increase to $7,500 per violation. Any collected fines go into a dedicated Consumer Privacy Fund that will pay for the AG’s efforts in this area. In the case of a data breach, the AG may seek penalties in addition to the private right of action explained below. Private Right of Action Individuals or groups of individuals in a class may directly sue companies who are respon- sible for unauthorized access to their personal information. In other words, if a company is hacked and personal information is stolen, then the ultimate victims of the theft, the individuals’ whose information was stolen, can seek compensation. There are three cases where companies may not be liable: • Encrypted: The accessed data was encrypted • Deidentified: The accessed data was redacted or otherwise deidentified • Well protected: The company had reasonable practices and procedures in place to protect the data. Damages in such a suit will be no less than $100 per record per incident and no more than $750 per record per incident or actual damages if they should be greater. this calls into question the practice of making someone give their name and email before they can download a white paper
  • 10. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 10 CCPA: What you need to know Exemptions / Exceptions • Consumer verification: A business may deny a request for data or erasure if they are unable to verify that a consumer (or agent of a consumer) making the request is who they say they are. • Conflicting law: A business may retain data that is required to meet Federal laws such as HIPAA and GLBA. • Public records: Any records that are public, such as if they are lawfully made avail- able by Fed/state/local Government (ie, property records) may be retained. • Excessive requests: Need not provide information if a consumer requests info more than twice in 12 months. • Contractual need: Need not delete data that is required to complete a transaction or a contract in an ongoing relationship with the consumer. • Intrusion or fraud detection: Need not delete data if it is required for detection of security incidents or fraud. • 1st amendment: Need not delete data if it would infringe on another consumer’s right to free speech. • Research: Need not delete data that is needed for public interest research. • Law enforcement: Must not delete data that is needed to comply with a legal obli- gation such as a law enforcement request. • Deidentified: Need not delete data that is deidentified or aggregated provided it can’t be re-identified and that the company takes the following measures to ensure that: a) technical safeguards; and b) business processes that prohibit reidentifica- tion; and c) business processes that prevent the release of such data. • Outside California: If data is collected and processed outside of CA and doesn’t pertain to a California resident. Note: can’t hold data on a device until a resident leaves the state and then transmit it. DATA SECURITY EXAMPLE This law very much had Equifax in mind when the data security component was added, per two of the writers of the original law. Since then, much more has come out about the Equifax breach, including the “Equifax Data Breach Report” by the Congressional House
  • 11. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 11 CCPA: What you need to know Oversight Committee. Equifax is an interesting case study because, by all accounts, they invested quite a bit in security. They had numerous teams including a “Global Threat and Vulnerability Man- agement” team. They had intrusion detection in place, scanners searching for out of date sofware, and more. In the CCPA, the security requirement is to “implement and maintain reasonable secu- rity procedures and practices appropriate to the nature of the information.” They cer- tainly implemented a number of security practices. But they fell down in the main- tenance side. In practice, however, they had numerous lapses. They were slow to respond to new vul- nerabilities, their intrusion detection software had not been working for 19 months, their scans for vulnerable software weren’t configured correctly and were falsely reporting that issues weren’t found. They also didn’t encrypt the sensitive personal information they held on consumers. These things led to the damning conclusion of the Congressional report: “Equifax, how- ever, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.” Sometimes, it’s hard to see how broken a system is until it fails spectacularly. This was an organization who spent a lot on security, but ultimately failed to manage the complexities of their environment. It’s easy to imagine CCPA leading to massive class action awards with penalties in the billions for this mismanagement. sometimes it’s hard to see how broken a system is until it fails spectacularly
  • 12. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 12 CCPA: What you need to know GLOBAL CONTEXT Blue - Comprehensive Data Protection Law Enacted (118:99 UN/19 self gov) Red - Pending Bill or Initiative to Enact Law (36/3) White - No initiatives or no information (58) National Comprehensive Data Protection/Privacy Laws and Bills 2018 BS LC TT VC CV HK JM MU MT AD MC SM MO TW DB IS SC IM GG JE GI SG FO CY VG BB KY DM QA FO KN CR DO SV BM David Banisar September 2018 SX CW BQ GD AG ST AD AX AW GT HN MS BN SH LB NI PA EG BH BZ California’s newest privacy law is just one of many. Over 100 countries have enacted data privacy laws and dozens more have legislation pending. Despite the map above, the U.S. does have pending data privacy legisltation, and that’s in addition to a patchwork of laws with privacy requirements for the handling of health care data (HIPAA), financial data of public companies (SOX), data on students (FERPA), children (COPPA), and more. For companies who have customers that operate around the world, the complexity of complying with these laws is daunting and getting worse almost daily. At a macro level, the overriding theme of these laws is putting the control of a consumer’s data into the hands of the consumer so that they know how their data is used and can ob- ject to it. In this way, CCPA is unexceptional. Another common theme is the requirement to protect the data from being exposed to unauthorized people. In nearly every case, there is a specific clause that calls out the idea that a company has not lost data if the thieves can only see it in encrypted form. Which is why stories like the Equifax story are so sur- prising. Why didn’t Equifax encrypt the data? There were over 30 things they screwed up, any of which could have prevented, detected, or blocked the attack. The simplest and most obvious is encryption.
  • 13. © IronCore Labs, Inc. • 1750 30th Street #500, Boulder, CO 80301 • 415-968-9607 • ironcorelabs.com 13 CCPA: What you need to know FURTHER READING Alastair Mactaggart and Ashkan Soltani, two of the folks most responsible for making CCPA happen, maintain a website that’s all about CCPA and the ongoing battles: https://www.caprivacy.org/ If you’d like to read the actual bill, you’ll need to first read the bill that passed in Summer 2018, and then read each of the amendments. For the moment, only one has been made law. These two links are the ones to dig into: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121