Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: CCPA - Quick Overview - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CCPA - Quick Overview

It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.

 The CCPA - California Consumer Privacy Act [1] was passed in June 2018 and went into effect January 01, 2020.   Some report that the Attorney General office will begin enforcement on July 01, 2020.   The law itself [1] does not cite any enforcement date.  Some companies have released statements they are adopting this for all customers, not just those in the State of California.   FWIW, I have seen some sites recently, even prior to the first of the year that are now offering conspicuous opt out links.

The CCPA..

  • Grants consumer a right to request…
    • specific pieces of information that it collects.
    • categories of sources from which that information is collected.
    • the business purposes for collecting or selling the information.
    • the categories of 3rd parties with which information is shared.
    • deletion of personal information…upon receipt of a verified request.
    • the business to not sell personal information (opt out)
  • Authorizes businesses to offer financial incentives for collection of personal info. (They must opt in)
  • Prohibits businesses to sell information of a consumer under 16 years of age without an opt in.
  • Businesses are not required to provide information more than twice in a 12 month period.
  • Businesses must provide a clear and conspicuous link on the Internet home page titled "Do Not Sell My Personal Information"…
  • Consumers "opt out" is good for 12 months before the business may request to authorize the sale of information.

If you think there are any other points to highlight that I did not mention, then please comment below to add to the discussion.


ISC Handler on Duty


Kevin Shortt

85 Posts
ISC Handler
Jan 3rd 2020
Thank you for that nice write up.
A cosmetic issue pushed me to my notebook to read as the bullet points don't wrap when the screen/window is smaller than will fit them making bits like "...Sell My Personal Information"…" not visible on my tablet with Chrome or a smaller window (Firefox and Chrome) on my Windows notebook.
Andy Konecny

8 Posts
Thanks for the comment and feedback.

Oddly - I was able to recreate the issue on my workstation with Chrome. I will be sure to re-size my windows on my next post before publishing it.

I'll look to tweak it.

Kevin Shortt

85 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!