Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CCPA - Quick Overview

Published: 2020-01-03
Last Updated: 2020-01-03 18:48:01 UTC
by Kevin Shortt (Version: 1)
2 comment(s)

It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.

 The CCPA - California Consumer Privacy Act [1] was passed in June 2018 and went into effect January 01, 2020.   Some report that the Attorney General office will begin enforcement on July 01, 2020.   The law itself [1] does not cite any enforcement date.  Some companies have released statements they are adopting this for all customers, not just those in the State of California.   FWIW, I have seen some sites recently, even prior to the first of the year that are now offering conspicuous opt out links.

The CCPA..

  • Grants consumer a right to request…
    • specific pieces of information that it collects.
    • categories of sources from which that information is collected.
    • the business purposes for collecting or selling the information.
    • the categories of 3rd parties with which information is shared.
    • deletion of personal information…upon receipt of a verified request.
    • the business to not sell personal information (opt out)
  • Authorizes businesses to offer financial incentives for collection of personal info. (They must opt in)
  • Prohibits businesses to sell information of a consumer under 16 years of age without an opt in.
  • Businesses are not required to provide information more than twice in a 12 month period.
  • Businesses must provide a clear and conspicuous link on the Internet home page titled "Do Not Sell My Personal Information"…
  • Consumers "opt out" is good for 12 months before the business may request to authorize the sale of information.

If you think there are any other points to highlight that I did not mention, then please comment below to add to the discussion.

-Kevin

--
ISC Handler on Duty

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

Keywords: CCPA Privacy
2 comment(s)
Diary Archives