cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

What about the effects of CCPA?

What about the effects of the CCPA? 

https://oag.ca.gov/news/press-releases/attorney-general-becerra-hold-public-forums-california-consum...

"

SACRAMENTO – California Attorney General Xavier Becerra announced today that the California Department of Justice will hold six public forums on the California Consumer Privacy Act (CCPA). The forums will provide an initial opportunity for the public to participate in the CCPA rulemaking process. As part of this process, the Department of Justice invites all members of the public to speak at these events. 

The CCPA grants consumers new rights with respect to the collection and use of their personal information. Businesses are prohibited from discriminating against consumers for exercising their rights under the CCPA.

As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. Effective January 1, 2020, businesses must comply with the CCPA’s key requirements:

  • Businesses must disclose data collection and sharing practices to consumers;
  • Consumers have a right to request their data be deleted;
  • Consumers have a right to opt out of sale or sharing of their personal information; and
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent."

Regards

 

Caute_cautim

 

13 Replies
DHerrmann
Contributor II

Believe me - our privacy attorneys are working hard on CCPA.

 

I hope they end up having the controller/processor nomenclature like GDPR.   It helps to assign responsibilities.

Hartenstein_JD
Newcomer II

Regarding blockchain, GDPR, and Encryption as referenced in the CIO article above:

 

Encryption (and/or Tokenization) of data may have its place the blockchain/immutability/GDPR discussion, but I don't see the use case for encryption as valuable as that article made it seem, at least not in the context it was described because;

 

-Private blockchains versus public blockchains touch on permission-based versus permission-less databases.

-Private encryption key ownership of data on blocks will upset "distributed-ness" of the ledger.

-Not every industry has a worthwhile business-case for use of blockchain.

These three factors synchronize that where blockchain is appropriate, it may be implemented in a manner in which encryption might not add the value described in the article....but...

 

More importantly, GDPR right to deletion mirrors well with CCPA § 1798.105(d), which states:

A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

  1. detect and maintain information security;
  2. exercise a right provided by law;
  3. comply with the California Electronic Communications Privacy Act;
  4. enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business;
  5. comply with a legal obligation.

This points to these ways that deletion requests can be avoided, (let alone a use-case for encryption and key destruction):

1. Information security convergence with data privacy is already converged.

2. Exercise 1st amendment freedom of speech

3. Senate Bill 178, §1546.1(b) = gov may compel production of the consumer data, so biz can't delete it.

4. Who gets to define "reasonably aligned"? (=How much attorney fee$ are you willing to pay for deletion?)

5. Data retention requirements, subpoena, or compliance with #3, etc.

dcontesti
Community Champion

@Hartenstein_JD

 

To be the devil's advocate, under these conditions:


@Hartenstein_JD wrote:

Regarding blockchain, GDPR, and Encryption as referenced in the CIO article above:

 

 

 

More importantly, GDPR right to deletion mirrors well with CCPA § 1798.105(d), which states:

A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

  1. detect and maintain information security;
  2. exercise a right provided by law;
  3. comply with the California Electronic Communications Privacy Act;
  4. enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business;
  5. comply with a legal obligation.

One could argue that personal information will never be deleted, which is troublesome to me.

 

An additional argument against encryption is that some vendors will not support it, so data may be encrypted in transit but not at rest which leaves it vulnerable.  Also folk that use the data do things like putting data into spreadsheets and storing them on hard drives or thumb drives in unencrypted formats....which can and has lead to data breaches.

 

I agree that encryption may not be as useful as the article leads one to believe.

 

Regards

 

Diana

 

 
la_joella
Newcomer I

We are now closer to the January 1st, 2020 start date, I wonder if companies in California that did not comply with GDPR are moving towards compliance with CCPA?

 

In my instance, we do not have to comply on January 1, but will probably meet the requirement to comply with CCPA at some point in 2020 so we are updating privacy policy/statement and mapping out how process request validation, how to automate reporting for requests, including deletion and pseudonymization

 

Has anyone found off the shelf CCPA tools? I know every org is different, but the "use the GDPR checklist" solution is a little misleading.