topic Re: What about the effects of CCPA? in Privacy

What about the effects of CCPA?

Caute_cautim — Thu, 03 Jan 2019 19:22:21 GMT

What about the effects of the CCPA?

https://oag.ca.gov/news/press-releases/attorney-general-becerra-hold-public-forums-california-consumer-privacy-act-part

SACRAMENTO – California Attorney General Xavier Becerra announced today that the California Department of Justice will hold six public forums on the California Consumer Privacy Act (CCPA). The forums will provide an initial opportunity for the public to participate in the CCPA rulemaking process. As part of this process, the Department of Justice invites all members of the public to speak at these events.

The CCPA grants consumers new rights with respect to the collection and use of their personal information. Businesses are prohibited from discriminating against consumers for exercising their rights under the CCPA.

As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. Effective January 1, 2020, businesses must comply with the CCPA’s key requirements:

Businesses must disclose data collection and sharing practices to consumers;
Consumers have a right to request their data be deleted;
Consumers have a right to opt out of sale or sharing of their personal information; and
Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent."

Regards

Caute_cautim

Re: What about the effects of CCPA?

dcontesti — Fri, 04 Jan 2019 08:25:53 GMT

The more I read on CCPA, the more confused I get.

I read, it's like GDPR but different but that is qualified with "we probably won't know all the details until January, 2020.

I have also read that the law was put together rapidly to avoid "more stringent" laws.

The current fines associated with this new law seem to be excessive. See this article:

https://searchsecurity.techtarget.com/blog/Security-Bytes/Is-the-new-California-privacy-law-a-domestic-GDPR

This articles goes on to say that most businesses may not be affected by the law.

So you raise a good question....what will the effects off CCPA be?

So if anyone has any opinions/thoughts, would love to have a conversation and maybe do a comparison of different laws (PIPEDA, GDPR, CCPA).

Best

Diana

Re: What about the effects of CCPA?

Caute_cautim — Sat, 05 Jan 2019 00:26:46 GMT

@dcontesti I know there is a lot of conjecture from various sources including IAPP, and this link:

https://fpf.org/2018/11/28/fpf-and-dataguidance-comparison-guide-gdpr-vs-ccpa/

However, you have to subscribe to obtain the full analysis, but may be useful as a starting point.

I see a convergence of both Privacy and Security happening this year, and indeed it is subject that we may all have to ensure we have a strong grasp especially from a Privacy by Design and Security by Design perspective.

Regards

Caute_cautim

Re: What about the effects of CCPA?

Hartenstein_JD — Sat, 05 Jan 2019 00:29:25 GMT

I'm willing to discuss it with you Diana.

The law wasn't necessarily put together rapidly. The method in which Assembly Bill 375 was signed into law was faster than making it a ballot measure for voting. Yes, AB 375 (aka CCPA) is considered by many to be less stringent than what would have otherwise reached ballots. Nonetheless, its now a law to be enforceable January 1, 2020, giving consumers a private right of action, and in July 1, 2020 for the government.

Most businesses will be impacted by the law even if it only affects their strategic plan or growth trajectory. The businesses that will fall under the law is the gist of your question though, right?

1. Businesses operating in CA serving CA consumers with either:

2. annual revenue of >$25M,

3. >50,000 data subjects

or %50 revenue derived from selling consumer data.

I'd agree that most businesses will not fall under the law, but I wouldn't say that most wouldn't be effected. Avoiding compliance with the law although your business meets the above factors is also available because the law has exceptions written in. Do you have any questions about exceptions? Such as when a company would not have to comply with a consumer's request to be erased for example?

Re: What about the effects of CCPA?

Caute_cautim — Sat, 05 Jan 2019 00:49:29 GMT

@Hartenstein_JD Some very detailed information from yourself. I think as Diana suggested it would be good to compare the various legislation in the same fashion that the Cloud Security Alliance (CSA) provides for various international security information standards as further information is gained and developed.

Regards

Caute_cautim

Re: What about the effects of CCPA?

Hartenstein_JD — Sat, 05 Jan 2019 01:14:39 GMT

That's an excellent idea. I would definitely benefit from that as well. @Caute_cautim

I have no connection to this firm, but I think they're onto a great start here with this comparison chart.

https://www.whitecase.com/publications/article/ccpa-and-gdpr-comparison-certain-provisions

Re: What about the effects of CCPA?

dcontesti — Sat, 05 Jan 2019 04:39:19 GMT

@Caute_cautim I agree with you that there will be a convergence between Privacy and Security and it will happen faster than we think (unfortunate for some).

PIPEDA in Canada has been around since 2000 and recently underwent some changes (Nov. 2018(.

Great link with lots of great comparisons, definitely helps one understand what is happening.

Re: What about the effects of CCPA?

dcontesti — Sat, 05 Jan 2019 10:12:12 GMT

Here's an article in the Harvard Business Review on Privacy and Security convergence.

Diana

https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies

Re: What about the effects of CCPA?

Caute_cautim — Sun, 06 Jan 2019 18:33:27 GMT

Thank you

Re: What about the effects of CCPA?

Caute_cautim — Tue, 08 Jan 2019 01:34:49 GMT

New Zealand is about to bring its own Privacy Act into alignment with GDPR. Recent discussions about Blockchain and the use of encryption. So much going on at the moment:

https://www.cio.co.nz/article/654560/cio-upfront-blockchain-privacy-encryption-solution/

Regards

Caute_cautim

Re: What about the effects of CCPA?

DHerrmann — Wed, 09 Jan 2019 19:14:32 GMT

Believe me - our privacy attorneys are working hard on CCPA.

I hope they end up having the controller/processor nomenclature like GDPR. It helps to assign responsibilities.

Re: What about the effects of CCPA?

Hartenstein_JD — Wed, 09 Jan 2019 19:15:15 GMT

Regarding blockchain, GDPR, and Encryption as referenced in the CIO article above:

Encryption (and/or Tokenization) of data may have its place the blockchain/immutability/GDPR discussion, but I don't see the use case for encryption as valuable as that article made it seem, at least not in the context it was described because;

-Private blockchains versus public blockchains touch on permission-based versus permission-less databases.

-Private encryption key ownership of data on blocks will upset "distributed-ness" of the ledger.

-Not every industry has a worthwhile business-case for use of blockchain.

These three factors synchronize that where blockchain is appropriate, it may be implemented in a manner in which encryption might not add the value described in the article....but...

More importantly, GDPR right to deletion mirrors well with CCPA § 1798.105(d), which states:

A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

detect and maintain information security;
exercise a right provided by law;
comply with the California Electronic Communications Privacy Act;
enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business;
comply with a legal obligation.

This points to these ways that deletion requests can be avoided, (let alone a use-case for encryption and key destruction):

1. Information security convergence with data privacy is already converged.

2. Exercise 1st amendment freedom of speech

3. Senate Bill 178, §1546.1(b) = gov may compel production of the consumer data, so biz can't delete it.

4. Who gets to define "reasonably aligned"? (=How much attorney fee$ are you willing to pay for deletion?)

5. Data retention requirements, subpoena, or compliance with #3, etc.

Re: What about the effects of CCPA?

dcontesti — Tue, 15 Jan 2019 12:56:31 GMT

@Hartenstein_JD

To be the devil's advocate, under these conditions:

@Hartenstein_JD wrote:
Regarding blockchain, GDPR, and Encryption as referenced in the CIO article above:

More importantly, GDPR right to deletion mirrors well with CCPA § 1798.105(d), which states:
A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
detect and maintain information security;
exercise a right provided by law;
comply with the California Electronic Communications Privacy Act;
enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business;
comply with a legal obligation.

One could argue that personal information will never be deleted, which is troublesome to me.

An additional argument against encryption is that some vendors will not support it, so data may be encrypted in transit but not at rest which leaves it vulnerable. Also folk that use the data do things like putting data into spreadsheets and storing them on hard drives or thumb drives in unencrypted formats....which can and has lead to data breaches.

I agree that encryption may not be as useful as the article leads one to believe.

Regards

Diana

Re: What about the effects of CCPA?

la_joella — Sun, 11 Aug 2019 01:21:00 GMT

We are now closer to the January 1st, 2020 start date, I wonder if companies in California that did not comply with GDPR are moving towards compliance with CCPA?

In my instance, we do not have to comply on January 1, but will probably meet the requirement to comply with CCPA at some point in 2020 so we are updating privacy policy/statement and mapping out how process request validation, how to automate reporting for requests, including deletion and pseudonymization.

Has anyone found off the shelf CCPA tools? I know every org is different, but the "use the GDPR checklist" solution is a little misleading.