Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: CCPA - Quick Overview SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CCPA - Quick Overview

It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.

 The CCPA - California Consumer Privacy Act [1] was passed in June 2018 and went into effect January 01, 2020.   Some report that the Attorney General office will begin enforcement on July 01, 2020.   The law itself [1] does not cite any enforcement date.  Some companies have released statements they are adopting this for all customers, not just those in the State of California.   FWIW, I have seen some sites recently, even prior to the first of the year that are now offering conspicuous opt out links.

The CCPA..

  • Grants consumer a right to request…
    • specific pieces of information that it collects.
    • categories of sources from which that information is collected.
    • the business purposes for collecting or selling the information.
    • the categories of 3rd parties with which information is shared.
    • deletion of personal information…upon receipt of a verified request.
    • the business to not sell personal information (opt out)
  • Authorizes businesses to offer financial incentives for collection of personal info. (They must opt in)
  • Prohibits businesses to sell information of a consumer under 16 years of age without an opt in.
  • Businesses are not required to provide information more than twice in a 12 month period.
  • Businesses must provide a clear and conspicuous link on the Internet home page titled "Do Not Sell My Personal Information"…
  • Consumers "opt out" is good for 12 months before the business may request to authorize the sale of information.

If you think there are any other points to highlight that I did not mention, then please comment below to add to the discussion.

-Kevin

--
ISC Handler on Duty

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

Kevin Shortt

85 Posts
ISC Handler
Jan 3rd 2020
Thank you for that nice write up.
A cosmetic issue pushed me to my notebook to read as the bullet points don't wrap when the screen/window is smaller than will fit them making bits like "...Sell My Personal Information"…" not visible on my tablet with Chrome or a smaller window (Firefox and Chrome) on my Windows notebook.
Andy Konecny

4 Posts
Thanks for the comment and feedback.

Oddly - I was able to recreate the issue on my workstation with Chrome. I will be sure to re-size my windows on my next post before publishing it.

I'll look to tweak it.

-Kevin
Kevin Shortt

85 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!