An Executive Guide CCPA: The Why, When, Where, What , and Who Guide to the California Consumer Privacy Act -2018
()
About this ebook
Just as the EU GDPR set out the stringent rules to contain the security and privacy malpractices of online business when conducting business with EU citizens the CCPA will also enforce the best behavior and best practices in ensuring that businesses in California or those that trade with Californians provides an ethical service by safeguarding their right to privacy. The California Consumer Privacy Act - 2018 was signed into law on the 28th June 2018. It was the culmination of a fascinating journey through a ballot initiative bill proposed by a local real estate businessman. The CCPA overcame fierce resistance from the tech lobbyists and local business coalitions to make it into law because it provides and enforces the three pillars of ethical behavior, Transparency, Control, and Accountability the very things that the citizens of California are now demanding from their service providers and the tech behemoths. In this book we cover the Why, When, Where, What, and Who of the CCPA how it came about, what it is and what effects it will have on business. We will study the individual provisions and privacy rights that it bestows upon the citizens of California and the responsibilities of businesses to uphold those rights and how best they can develop strategies for compliance. However, as the Act was rushed through the Legislative Process it has many nuances, ambiguities, and downright contradictions so we will examine many of these and consider possible changes to the text before it comes into operation in 2020.
Read more from Alasdair Gilchrist
Google Cloud Platform an Architect's Guide Rating: 5 out of 5 stars5/5REST API Design Control and Management Rating: 4 out of 5 stars4/5Google Cloud Platform for Data Engineering: From Beginner to Data Engineer using Google Cloud Platform Rating: 5 out of 5 stars5/5Supply Chain 4.0: From Stocking Shelves to Running the World Fuelled by Industry 4.0 Rating: 3 out of 5 stars3/5The Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5Spreadsheets To Cubes (Advanced Data Analytics for Small Medium Business): Data Science Rating: 0 out of 5 stars0 ratingsA Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5Concise Guide to DWDM Rating: 5 out of 5 stars5/5Concise Guide to OTN optical transport networks Rating: 4 out of 5 stars4/5Six Sigma Yellow Belt Certification Study Guide Rating: 0 out of 5 stars0 ratingsGoogle Cloud Platform - Networking Rating: 0 out of 5 stars0 ratingsA Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsDigital Success: A Holistic Approach to Digital Transformation for Enterprises and Manufacturers Rating: 0 out of 5 stars0 ratingsA Concise Guide to Object Orientated Programming Rating: 0 out of 5 stars0 ratingsConcise Guide to CompTIA Security + Rating: 3 out of 5 stars3/5The Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5The Concise Guide to SSL/TLS for DevOps Rating: 5 out of 5 stars5/5PSD2 - Open Banking for DevOps(Sec) Rating: 5 out of 5 stars5/5Tackling Fraud Rating: 4 out of 5 stars4/5A Concise Guide to Microservices for Executive (Now for DevOps too!) Rating: 1 out of 5 stars1/5GDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5Why Industry 4.0 Sucks! Rating: 0 out of 5 stars0 ratingsAn Introduction to SDN Intent Based Networking Rating: 5 out of 5 stars5/5The Concise Guide to the Internet of Things for Executives Rating: 4 out of 5 stars4/5FinTech Rising: Navigating the maze of US & EU regulations Rating: 5 out of 5 stars5/5SRS - How to build a Pen Test and Hacking Platform Rating: 2 out of 5 stars2/5ChatGPT Will Won't Save The World Rating: 0 out of 5 stars0 ratingsA concise guide to PHP MySQL and Apache Rating: 4 out of 5 stars4/5
Related to An Executive Guide CCPA
Related ebooks
The California Consumer Privacy Act (CCPA): An implementation guide Rating: 4 out of 5 stars4/5The California Privacy Rights Act (CPRA) – An implementation and compliance guide Rating: 0 out of 5 stars0 ratingsEU GDPR – An international guide to compliance Rating: 0 out of 5 stars0 ratingsData Protection Compliance in the UK: A Pocket Guide Rating: 5 out of 5 stars5/5SECURITY AND PRIVACY IN AN IT WORLD: Managing and Meeting Online Regulatory Compliance in the 21st Century Rating: 5 out of 5 stars5/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsData Protection and the Cloud: Are the risks too great? Rating: 4 out of 5 stars4/5Regulating Cross-Border Data Flows: Issues, Challenges and Impact Rating: 0 out of 5 stars0 ratingsThe IT / Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media and IP Law Rating: 5 out of 5 stars5/5The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsInformation Governance: Concepts, Strategies, and Best Practices Rating: 4 out of 5 stars4/5Privacy, Regulations, and Cybersecurity: The Essential Business Guide Rating: 0 out of 5 stars0 ratingsGDPR For Dummies Rating: 0 out of 5 stars0 ratingsData Privacy Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5Certified Information Privacy Professional A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsPrivacy by design A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsGDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5Data Privacy Laws A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsBig Data Privacy Second Edition Rating: 0 out of 5 stars0 ratingsPrivacy By Design A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsThe Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5Cybersecurity Law, Standards and Regulations, 2nd Edition Rating: 0 out of 5 stars0 ratingsUltimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsData Protection Standard Requirements Rating: 0 out of 5 stars0 ratingsPrivacy’s Blueprint: The Battle to Control the Design of New Technologies Rating: 5 out of 5 stars5/5Privacy By Design A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCIPT A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratings
Internet & Web For You
More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5Python: Learn Python in 24 Hours Rating: 4 out of 5 stars4/5Introduction to Internet Scams and Fraud: Credit Card Theft, Work-At-Home Scams and Lottery Scams Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5Learn HTML Programming in 7 Days: Ultimate Beginners Guide to Build and Design Your Own Website Rating: 4 out of 5 stars4/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5The Internet Is Not What You Think It Is: A History, a Philosophy, a Warning Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5200+ Ways to Protect Your Privacy: Simple Ways to Prevent Hacks and Protect Your Privacy--On and Offline Rating: 0 out of 5 stars0 ratingsHow To Make Money Blogging: How I Replaced My Day-Job With My Blog and How You Can Start A Blog Today Rating: 4 out of 5 stars4/5How To Start A Profitable Authority Blog In Under One Hour Rating: 5 out of 5 stars5/5Lying and Lie Detection: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsHow To Start A Podcast Rating: 4 out of 5 stars4/5C++ Learn in 24 Hours Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratings
Reviews for An Executive Guide CCPA
0 ratings0 reviews
Book preview
An Executive Guide CCPA - alasdair gilchrist
Chapter 1 – The motivation behind the CCPA?
The surge in public support
The Catalyst for CCPA
Why Facebook –Cambridge Analytica was a scandal
Who does the CCPA effect?
The Data Supply Chain
Chapter 2 – The Quest
The Timeline
The Ballot Initiative reaches its target
What is the AB 375 bill?
Chapter 3 – Who are the major players
Californians for Consumer Privacy
Common Sense Kids
Electronic Frontier Foundation
Privacy Rights Clearinghouse
The Opponents
Chamber of Commerce (CalChamber)
Internet Association
TechNet
The Business Coalition
Chapter 4 – What is the CCPA?
Brief History on California Privacy Laws
CCPA – Relevant for the digital age
What is the CCPA’s (AB 375) Scope: Covered Entities, Personal Information
and Consumers
Penalties
Chapter 5 – The Clean Up – (SB 1211)
1798.100 - Consumers right to receive information on privacy practices and access information
1798.105 - Consumers right to deletion
1798.110 - Information required to be provided as part of an access request
1798.115 - Consumers right to receive information about onward disclosures
1798.120 - Consumer right to prohibit the sale of their information
1798.125 - Price discrimination based upon the exercise of the opt-out right
1798.130 - Means for exercising consumer rights
1798.135 – Opt out link
1798.140 - Definitions
1798.145 - Interaction with other statutes, rights, and obligations
1798.150 - Civil Actions
1798.155 - Attorney General Guidance and enforcement
1798.160 - Consumer privacy fund
1798.175 - Intent, scope, and construction of title
1798.180 -Preemption
1798.185 - Adoption of regulations
1798.190 - Intermediate steps or transactions to be disregarded
1798.192 - Void and unenforceable provisions of contract or agreement
1798.194 - Liberal construction of title
1798.196 - Construction with federal law and California constitution
1798.198 - Operative date pre-condition
1798.199 - Operative date
Chapter 6 – Where is the conflict?
The Clean-Up (SB 1121)
Room for Improvement
SB 1121 passes into law
Key SB-1121 amendments to the CCPA include:
A summary guide to the CCPA
Where are other potential issues buried
The private right of action
Chapter 7 - Compliance
Avoid the CCPA’s jurisdiction
Issues and Damages for Non-Compliance
Summary of compliance requirements
Data security
Service Provider Agreements
Frequently Asked Questions
Lessons Learned from GDPR
Consolidate and Secure Personal Information
Chapter 1 – The motivation behind the CCPA?
The popular telling of the tale goes that Alastair Mactaggart, a wealthy real estate developer in the Bay Area, became the most improbable, and perhaps the most audacious privacy activist in America through a causal conversation with a Google engineer at a dinner party. How this episode of political awakening came around was something more suited to a TV drama rather than the mundane real-world of legislative process even by Sacramento’s flamboyant standard.
The story begins a few years ago, on a night in the hills above Oakland, Calif. where Alastair Mactaggart and his wife were entertaining some friends invited over for dinner. Coincidently, one of the guests was a software engineer at Google, the Internet Behemoth whose search and video sites are visited by over a billion people a month. As the evening settled in, Alastair Mactaggart asked his friend in casual conversation if he should be worried about the amount of information that Google collected about him. To Alastair Mactaggart’s surprise his friend told him that if people realised how much Google really knows about them, they would flip out.
Now the enormity of this is that Alastair Mactaggart is no unworldly academic or swivel-eyed loon, he is a wealthy and successful businessman. Also, he had built his company on the back of condominiums in the Bay Area that provide the accommodation for the wealthy employees of Silicon Valley. Nonetheless, he was taken aback by the reply, as he had never really thought about how companies like Google or Facebook monetized their businesses. He knew of course about the the vast pools of data they collected and monetized through directed marketing but these were abstractions, something he knew existed but had not given much thought or dwelled upon.
However, it was that casual social interaction that was the genesis for the improbable transformation of Alastair Mactaggart, from a successful property developer, a businessman, to an indefatigable privacy activist. Indeed over the next two years he and his team would be the bane of the Chamber of Commerce and the tech industry.
Suitably intrigued Mactaggart began to delve deeper into the business models and practices of the tech companies. He spent a lot of time researching their business models, taking a special interest in studying their opaque privacy policies. As a result, he duly learned about how tech businesses used online tracking and data trading to build profiles of users that could be traded through a data supply chain. And that there was no real limit on the information companies could collect or buy about him. To him this was frightening.
Furthermore, he discovered that in the United States there was no single, comprehensive law regulating the collection and use of personal data. There were rules and protocols but these were largely established by the very companies that harvested and traded in data. What is more, the consumers whose data was being harvested were unaware of the scale or the purpose of collection let alone the intrusiveness of the operation as details were obscured within privacy policies and end-user agreements most people never actually read.
As Alastair Mactaggart began to scrutinize these privacy policies closely, he discovered that buried in the legalese were clauses that effectively gave the business the user’s consent for the collection, processing and sharing of a vast array of personal information. He soon was appalled at the duplicity of the respected tech giants and their methods employed for the misappropriation of personal information that was being collected and shared by online businesses. This was the catalysts that spurred his interest in online privacy and this led to a two-year effort, which he personally funded, to get a privacy law for California on the books.
Alastair Mactaggart was able to become a champion of consumer privacy simply because in California it is not just politicians and legislators that can propose new laws, residents can also propose new bills through a ballot initiative so long as they can show popular support by obtaining sufficient verifiable signatures. Ultimately, Alastair Mactaggart obtained more than double the amount of sufficient signatures to put a ballot initiative before the California voters in November 2018 that, if approved, would have enacted a data privacy law.
Initially, the signature collection effort for consumer privacy was a slow process. Volunteer activists had to canvas for support to gain signatories – going door-to-door or working the commuter trains -from Californians that despite working for tech companies would still hopefully support such a privacy bill. Perhaps, it was this lack of traction that may have initially flat-footed the tech industry for they appear to have been rather slow in their response to the ballot initiative.
However, the ballot initiative suddenly gained steam in the spring of 2018. Suddenly there was public support and whereas before there was apathy now there was energy. This was a process perhaps spurred by growing privacy concerns among the public, as a result of the Facebook data breach debacle in spring 2018. However, the Chamber of Commerce and the tech industry did awaken to the threat as they became concerned that the ballot initiative was gaining too much public support. Then they were quick to launch a campaign of opposition to try to derail and debunk the ballot initiative. Indeed, later, when the state legislature and the tech companies realised that the ballot initiative had overwhelmingly public support that exceeded the required number of verified signatories they became alarmed to the far-reaching nature of the law. Importantly they were concerned with the fact that a ballot-driven law is more difficult to amend in the future, as to change or repeal it required a 70% vote in both houses and more likely a fresh ballot initiative. Consequently, the legislature cut a deal with Alastair Mactaggart, to pass a somewhat watered down version of his bill in exchange for him withdrawing from the ballot due in November 2018. Thus the CCPA was abruptly negotiated, drafted, and shortly thereafter signed into law on June 28, 2018. It will go into effect on January 1, 2020. As it stands the CCPA is arguably the most significant advance in privacy protection introduced in the United States.
The surge in public support
One suggestion for the late surge in popular support for Alastair Mactaggart’s ballot initiative is that in the spring of 2018 the EU’s General Data Protection Regulation (GDPR) came into effect and combined with the Cambridge Analytica scandal made consumer data privacy a hot topic. As a result Alastair Mactaggart’s main question, which is, ‘in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it, stays personal?’ – chimed well with the sentiments of the time.
Indeed, his goal of developing a privacy law focusing on transparency, control and accountability dovetailed well with public sentiment. The citizens of California were growing increasingly concerned and impatient with the seemingly never ending stream of breaches and the nonchalant attitude of the tech giants towards consumer privacy. Mactaggart’s ballot initiative was a timely banner to gather beneath as it introduced three pillars for consumer privacy; transparency, control and accountability and that proved popular with potential voters. The 3 pillars became the basis of the ballot initiative created by Californians for Consumer Privacy: the California Consumer Rights Privacy Act, which surged forward in the late spring of 2018 catching their opponents for once off-guard.
The bill received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot.
The Catalyst for CCPA
During the spring of 2018 there was no escaping the deluge of stories about Cambridge Analytica and Facebook. The mainstream media interest peaked when a pink-haired ex-Cambridge Analytica academic regaled his story to The Guardian and The New York Times. Not to be outdone TV journalists at Channel 4 News secured undercover footage of Cambridge Analytica executives boasting of their successes using their controversial techniques and services. There was unsurprisingly a backlash against Cambridge Analytica and Facebook. Questions about the use and misuse of personal data therefore were high in the public’s mind as Alastair Mactaggart’s ballot initiative entered the final crucial few months of the 2-year campaign. If that was not bad enough for the tech industry, things could have been much worse as Google also had suffered an almost identical failure of process under it Google+ application, which has also compromised the personal information of over 50 million users. Google, fearful that a public scandal would accelerate and fuel the demand for privacy regulation on the tech industry fixed the vulnerability in 3 days and then decided to keep quiet. Google’s shameful act of concealing the compromise of over 50 million users personal information would only surface in the fall of 2018. In the meantime Facebook took the full brunt of the public fury but not without some justification. This was because in addition to the Cambridge Analytica catastrophe they had further major breaches in July and a hugely damaging breach in September which compromised around 90 million accounts.
Public confidence in the tech industries ability to protect their personal information plummeted and their anxiety rocketed with the breaking news of yet another security blunder. Indeed in 2018 alone there were major breaches that occurred that were eminently preventable had security controls been in place. One such example pertinent to Californians was that in February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.
Why Businesses should be concerned
Underpinning the Ballot campaign was the desire to protect consumer privacy through the creation of a set of rights roughly analogous to certain of the rights under the GDPR in Europe. Consequently, after a lot of the horse-trading between the legislators and Alastair Mactaggart’s team, the CCPA will grant California residents the right to access, delete, port out, and opt out of the sale of their personal information. Currently, Personal information is very broadly defined and it includes anything that relates to a person, household or device. The law also requires certain disclosures about personal information collection and sharing practices, such as once enforced, businesses will have to inform consumers’ of the purposes for collecting and selling their personal information and the subsequent identification of those to whom it is being sold. In addition there will be the right to opt-out of the sale or sharing of personal information and importantly, the business is not allowed to discriminate against those exercising their rights. For example, a business must not charge consumers that exercise their right to opt-out any fees to access their information or service or by offering them a different level of service or pricing.
As the CCPA law was drafted and passed so quickly using the controversial gutting-and-amending technique it has many nuances, contradictions, unclear provisions, and apparent unintended consequences. As a result many of these provisions may be subsequently changed or refined in 2019. For example, the broad definitions of a consumer and what constitutes personal information will be targeted for change by the tech industry. However, interestingly, although the ballot initiative and the subsequent CCPA came under concerted attack from many sectors of business and commerce its opponents made few tangible gains. For instance a conglomeration of businesses as diverse as banks, tech start-ups, automobile associations and marketing groups proposed a wish-list of changes that amounted to circa 20 pages during the first clean-up review (SP 1211) of the CCPA act, but few and even then only minor changes were taken on-board by the legislators. Nonetheless, many industry observers think that 2019 will see much more aggressive strategies by the tech companies and the chamber of commerce in trying to gut the bill.
At present though, any for-profit business that is over $25 million in revenue or that handles California resident personal information on any material scale should immediately start to at least consider the necessity of compliance with the spirit of the privacy law. Fortunately for many, the introduction of GDPR in May 2018 means most businesses will have many of the technical and business controls in place for identifying, categorizing and protecting personal identifiable information that will need only to be adjusted in the context of the CCPA. However, for businesses that have chosen to ignore the EU GDPR for whatever reason they may well need to make substantial operational or business model changes to their company’s practices and procedures.
Early attention to compliance is especially important given that the CCPA, in part, uses one of California’s favoured approaches to consumer protection law enforcement by permitting a private right of action with statutory damages ($100-$750 per violation for private claims). Essentially, California residents will be able to sue businesses in the case of a data breach where they can show that the business did not have adequate protections for their person identifiable information. Under the CCPA, the plaintiff does not need to show actual harm to them although they must send a notice of their claims to the business and allow the business 30 days to cure. As is quite typical of the CCPA as it stands there is no indication as to how a business would cure a data breach.