What To Know About The New Canadian Consumer Privacy Protection Act

Don’t Risk Millions of Dollars in Fines by Disregarding Canada’s New Consumer Privacy Protection Act

On November 17, 2020, the Canadian Digital Charter Implementation Act was introduced, consisting of two parts. One enacts the new Consumer Privacy Protection Act (CPPA), and the second enacts legislation to establish a Personal Information and Data Protection Tribunal. This legislation is aimed at protecting consumers and redefines obligations and expectations for organizations that manage many consumers’ Personal Information (PI).

The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. Serious contraventions are subject to a maximum fine of 5% of global revenue or $25 million.

In addition to oversight directed by the Office of the Privacy Commissioner of Canada, companies such as telecoms may also be subject to privacy rules mandated by provincial regulations, as well as the Internet Code and the Wireless Code issued by the Canadian Radio-television and Telecommunications Commission (CRTC). That’s a lot of rules!

While you can anticipate changes to CPPA arising from the ensuing consultation period, it’s likely many of the key principles in the law may remain intact such as:

  • Meaningful consent: Modernized consent rules, plain-language information to make meaningful choices in the use of personal information.
  • Right to data mobility/portability: The right to direct transfer of personal information from one organization to another.
  • Right to disposal of personal information and withdrawal of consent: Accessibility to allow individuals to request organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
  • Algorithmic transparency: New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence.
  • De-identified information: Clarifications on how this information is protected and used without an individual’s consent under certain circumstances.
  • Cross-border transfers: Clarifications on transparency obligations.

Many Canadian companies already make substantive investments in privacy program leadership, data discovery tools, and exercises and incorporate related ethics into their governance model. However, pending Canadian privacy legislation introduces a new set of regulations and a formal bureaucracy that requires companies to understand and address the delta between their existing maturity and the new landscape.

CAPP helps organization’s meet these types of regulatory obligations by:

  • Supporting your Privacy Officer or sponsor in the initiation, planning, and execution of a comprehensive project plan that addresses and prioritizes compliance with each functional requirement outlined in Canada’s proposed privacy regulation.
  • Ensuring your privacy compliance goals are aligned with your company’s overarching privacy program charter, company culture, and customer experience expectations.
  • Producing accessible resources, guidance/advisement, reporting, and documentation throughout our engagement and ongoing support to your Privacy Officer and team.

The new Canadian Consumer Privacy Protection Act regulations governing the use of consumer’s personally identifiable information (PII) needn’t be burdensome!  In fact, they can help protect your organization, reduce operating expenses, and identify opportunities for better governance that ensure you avoid fines, litigation exposure, and foster trust that enhances customer experiences.

Let Compliance & Privacy Partners helps Canadian companies like yours comply with these regulations by:

  • Knowing your data – Compliance starts with understanding what data you retain and what you do with it. We help organizations efficiently complete their data mapping exercises to visually understand what personal information is collected, how it’s stored, how it’s accessed, and whom it’s made accessible or shared with.
  • Responding to consumer requests – We help you set up a consumer-facing and backend system to allow, verify and process data subject requests to access, delete, or correct information and to help a consumer opt-out of the sale of their information.
  • Updating policies and procedures – Privacy policies must be updated regularly and we make sure your data collection forms and disclosures accurately describe your data collection processes and comply with the regulations. We help you to use plain language and alert customers of any updates.
  • Working with your data processing vendors – Ensuring vendors and business partners are working towards compliance is critical. We help you identify and update vendor contracts with the appropriate roles and responsibilities and limit your organization’s liability in the event of non-compliance.
  • Providing education and training – We help you train consumer-facing staff so they are prepared to inform consumers about how the company is complying with regulations like the CPPA and in processing requests. Compliance, legal, IT, operations, and marketing teams should all be aware of how compliance with this law works around the organization.
  • Monitoring and compliance – Establishing governance with clearly defined roles and responsibilities within your organizations is key to sustaining compliance.  We help organizations like yours formalize their compliance programs and perform privacy impact assessments.

Take charge of your information governance challenges by contacting us today for a free consultation about your obligations under privacy regulations such as PIPEDA and the Canadian Consumer Privacy Protection Act.

What Is A Data Map?

Inaugural webcast of Tomorrow’s Jobs Today: Wisdom and Career Advice From Thought Leaders in AI, big data, The Internet of Things, Privacy, and more.

Host Rafael Moscatel picks the brains of business leaders throughout the world who are pioneering emerging technologies and leadership concepts across a variety of industries in both the public and private sectors to better understand the future of work and the incredible tools being developed to perform that work. In today’s episode Priya Keshav of Meru Data discusses the question, “What Is A Data Map?”

Full transcript below:

Rafael Moscatel:

Priya, we’re going to talk a lot about data maps today, and you have a lot to show us there. But before you treat us to kind of the bells and whistles on your product, I do want to talk briefly about why you decided to start this business. You had an excellent position for one of the big four accounting firms, and you were doing some amazing work over there for them. So tell me: Why did you take this leap?

Priya Keshav:

Data is going to be one of the biggest risks for every enterprise in the next decade or so, and that’s broader than just cybersecurity risk. And most gender councils acknowledge this and are looking to build programs in-house to manage this proactively. I felt that most of the programs so far are consultant-driven, and there was a lack of products that supported these programs in a holistic manner. And I felt that there was a gap that perhaps we could address, so we founded Maru, and it’s been an excellent journey so far.

Rafael Moscatel:

So Priya, for some of our viewers that are very new to IT infrastructure and data maps, can you give us a basic definition of what a data map is?

Priya Keshav:

Yeah, it is a bird’s-eye view of all the data within the organization. For somebody who is trying to manage the risk around the data at a very high level, it provides all the details, in terms of the number of systems, where the data originated, how it flows. And you’re able to look at which systems are riskier, versus not. You’re able to understand the security controls that you have in place. So you can bring all of the information into one single place and take a look at it for various decision-making purposes, and that’s what the data map gives you.

Rafael Moscatel:

Now that you’ve told us exactly what a data map is, can you tell us a little bit more about why it’s important in today’s climate, with all of the privacy compliance exercises that companies need to undertake?

Priya Keshav:

The best way to explain this is with an elephant story that actually one of my mentors first told me. A bunch of blind men, who had never seen an elephant before, encountered an elephant. And they were experiencing this elephant in various ways, right? So somebody touched … One person touched the trunk. Somebody else was looking at the tail and obviously had a completely different description of what the elephant was. And somebody else was touching the body and had a very different description of the elephant. That’s true in most organizations. We are siloed.

We have a very good understanding of what we are doing with the data that we see and how we are using the data that we have, but it lacks perspective, and that’s what happens in most organizations. So you have perspectives. None of them are wrong, but the perspectives are limited, from a certain viewpoint. And what data map helps in cross-functional. So it brings collaboration. It helps in establishing true trust in data because now you have a true understanding of what is going on with your data. And it’s not just for compliance, though obviously, it gives you better control over compliance efforts. But it gives you, also, better visibility into your data.

So you can’t secure what you don’t know. If your perspective is that the elephant is just the trunk, then you’re going to secure it based on that perspective. But as if you understand that it’s a whole elephant, you have a completely different vision of how your security program would be. Data map, once it’s done right and being used and adopted by an organization, can serve in so many ways that it can open up a lot of opportunities for your data within the organization.

Rafael Moscatel:

Priya, can you tell me a little bit more about how tools like yours classify sensitive data within the data map?

Priya Keshav:

Yes, of course. So this is our classification wheel, and as you know, CCPA expects you to understand the various types of information that you store in various systems, like biometric data, profile information, or credit card information, or educational information. So from the data map, you’re able to classify them into various categories, and with a click of a button, you can get to the systems that are likely to have the particular data type that you’re looking at. So for example, I clicked on the IP address and it gave me the two systems where we store IP addresses. So it’s very functional, meeting the regulatory requirements.

Rafael Moscatel:

What about data flows? How do applications like that make sense of those? Because they can be so complicated and so involved.

Priya Keshav:

Yes, so it’s very important to understand how your data is flowing. So you have to understand the place of origin and all the places that it goes to be able to truly … Both from a data governance standpoint, as well as a privacy regulation standpoint. Because if you are looking at a request where you need to delete the data, you have to understand that. For example, we’re looking at an HR process right now. So let’s say somebody got a resume from LinkedIn and sent it to Greenhouse and used Greenhouse for recruiting and then eventually, that person was hired. And obviously, their data was moved into Workday. Maybe they send some expense reports in and Concur was used as an expense reporting system.

So in this case, what happens is that if that person comes back and says, “Please delete my data,” you have to be able to understand that that person was an employee. And the fact that you probably had information about the interviews. If it is not yet past that retention period, there was probably information about their resume and the various background check that happened, as well as their employee information in Workday and every other benefit-type systems or analytics systems that it was passed onto from Workday. And the expense reporting system.

So the data flows helps you understand all the systems that are impacted, as well as exactly what type of information is flowing. So for example, Workday, in this case, is sending, as you can see, a bunch of information on a daily basis, via API, to Concur. So being able to map this is a fundamental step to being able to meet the privacy regulations.

Rafael Moscatel:

In this new environment, so many companies are being forced to do so much more with less. And I’m wondering: How do platforms like this, the Maru platform, enable those organizations to do that?

Priya Keshav:

So yes, we’re trying to … Everybody’s shifted to a work-from-home environment, and obviously, that increases security risk. And there is also a need to accelerate some of the programs towards digital programs, because there’s a need for more technology and for more and more technologies to be online, as opposed to on-prem, because of the changes that we’re just going through.

But we’re also facing budget cuts and the need to do more with less, and one of the best ways to use a data map is to understand and prioritize. Because you understand where your data is, how it’s being used, and what’s the most important as well as the biggest risks that your organization is likely to face, using the data map enables you to make informed decisions, as opposed to making decisions based on intuition. So I think there are so many different ways in which we build … And that’s what differentiates us because we don’t look at this as a privacy tool that just solely does privacy-related work, which is important.

But most organizations, with limited budgets, they’re trying to comply with the privacy program. But they’re also trying to leverage what they have to reduce their overall risk with data, to improve their security program, as well as trying to look at how effective their analytics programs are. So there are so many use cases, and truly, that’s one of the things that I think we look at it as fundamental to how a data map should work and how it should be a single tool that sort of brings everybody’s objectives together and helps them collaborate through the tool.

Data Privacy Plans: When Creating One, Remember to K.I.S.S.

Data privacy sits at the center of business operations today. No matter what industry you’re in, you collect, store, and use it, and the laws now require us to better protect it. The worst thing any organization can do is make that obligation more complicated than it needs to be.

Personally Identifiable Information (PII) helps guide our decision-making processes, from purchasing to marketing to sales to hiring. Data you collect on current customers,  prospective customers, and your website visitors, for example, helps you run highly-targeted and highly-effective marketing campaigns. But data privacy regulations now complicate all of that.

As data proliferation is now a well-known fact, more people are becoming concerned about companies misusing theirs. This fear and concern have sparked new legislation around the world that regulates what businesses can and cannot do with the personal information they collect.

Whether it’s the GDPR in Europe or the CCPA and CRPA in California, new privacy protection laws are forcing businesses worldwide to change their practices to become compliant.

In response, companies have been rushing to create an all-encompassing privacy protection plan hoping to ensure compliance with California’s current laws and preps them for future regulation as well.

Of course, the challenge is these laws are complicated, and building a full data privacy plan can be just as involved. The general approach has been to create a massive program that covers every possible angle.

But is that necessary? In reality, it’s not. And that’s why companies end up scaling back. Like many other things in life, it’s best to follow the principle of K.I.S.S. — Keep It Simple Stupid.

Your Data Privacy Plan Should Fit Your Company

The KISS acronym is a funny way of reminding us not to make things too complicated, as many of us tend to do from time to time. It doesn’t mean we’re stupid, of course — far from it.

This saying is perfectly suited for companies that are building a data privacy plan. Another phrase comes to mind as well: Less is more.

Privacy is a complicated issue, but that doesn’t mean you need to build an incredibly complicated plan. Just because privacy laws are big blanket regulations does not imply a one-size-fits-all approach is right.

In most cases, such an approach is not only inappropriate, it’s onerous, costly, and unnecessarily time-consuming. A better approach is to build a privacy plan that fits your company’s risk profile.

That’s what we do at Compliance and Privacy Partners. We don’t let the regulators lead us. We help companies build a privacy program that is proportionate to your risk.

Doing anything above and beyond doesn’t always provide extra protection. It often complicates the compliance burden. Data privacy shouldn’t be about building levels of bureaucracy that rival that of the government. It should be about building simple, effective, and appropriate solutions focused on data protection.

There are Opportunities Where Gaps Exist

President John F. Kennedy once said:

“The Chinese use two brush strokes to write the word ‘crisis. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger — but recognize the opportunity.”

That quote summarizes one of our three pillars of digital strategy consulting: Where gaps exist, so, too, do opportunities.

Many companies approach data privacy compliance as an arduous task they have to undertake. They seek to protect themselves from the regulatory authorities to fill the gaps in their current policies to keep them compliant.

That line of thinking is short-sighted, though. Companies that can understand there are opportunities to be had in this process are the ones who are going to separate themselves from the competition.

Instead of merely creating a data privacy plan that will abide by laws, why not use it as a way to connect with your current and prospective customers? Why not use it as a way to be a leader in your industry?

It’s amazing what opportunities you can find when you approach mundane tasks with an open mind. CAPP can help you do just that as you build your data privacy plan.

Relationships are What Matter Most

It’s essential to keep in mind that people are at the heart of your data privacy plan through it all. It’s not just the consumers whose data you are protecting but also your employees and business partners who help you protect it. Your customers have to believe that you are treating their data with care and are being responsible.

Your employees need to help you communicate this message and to execute the plan from the inside out. And business partners will serve an essential role in protecting this data exchanged between the two.

We Do More for Our Clients

We have busy enough lives as it is. There’s no need to make things more complicated than they have to be — even when we’re talking about something as crucial as data privacy compliance.

Privacy is a core value of ours at CAPP, and we can help make it one of yours, too. By working closely with your legal, HR, compliance and IT teams, we help you build a solution that matches your potential risk.

We not only build you a program that works today but anticipates what’s to come in the ever-changing world of data privacy, data security and regulation. Through it all, we help you see that compliance isn’t a burden but rather an opportunity.

Turn Waves Of Regulation Into Oceans Of Opportunity with CAPP.

To learn more about how Compliance & Privacy Partners can help prepare you for the new wave of privacy regulations reach out to us at 323-413-7432 or email us at support@capp-llc.com for a free consultation with a Certified Information Privacy Manager.

Prop 24: New Privacy Regulations Rock The State of California

A Special Report from Compliance & Privacy Partners

California Privacy Rights Act
The CPRA amends and expands the California Consumer Privacy Act (CCPA)—California’s current privacy law that itself is nearly brand new.

Californians took a step toward more privacy protections when they voted to pass Proposition 24 on November 3. The ballot created what’s known as the California Privacy Rights Act, known as the CPRA, which will expand and amend the previously-existing California Consumer Privacy Act (CCPA). So, what does this mean for Californians and companies that do business in the state? It can be confusing, so let’s take a closer look at some of the law’s major points.

The Background

California has a unique system of ballot propositions. It allows people and groups to go around the state government to get certain initiatives passed into law.

To appear on an official ballot, groups must file a proposal with the attorney general’s office. Then, they must receive a certain number of signatures supporting the measure by a specific date. Once those signatures are confirmed, the proposition can appear on the ballot.

In 2020 alone, there were 12 ballot measures on which Californians could vote. If a ballot measure passes, it becomes law in the state — regardless of how elected officials feel about it.

The group that supported the CPRA, Californians for Consumer Privacy, has also supported other privacy measures in the past. In 2018, they got enough signatures to get the CRPA on the ballot, but they agreed to withdraw that application in exchange for the state legislature passing the CCPA.

In the two years since its passage, the group wasn’t satisfied with how the CCPA turned out. So, it moved forward again with a ballot for the CPRA, which the group saw as a stronger law.

What Does CPRA Do?

This new law is now the baseline for all privacy laws within California. Only a further ballot measure would be able to repeal it. If lawmakers were to pass an amendment to it, the groups that support CPRA could sue to have that blocked.

The only other way that the law could be changed or modified is through a future ballot passage, or if the federal government or court system invalidated it. That could be done only if it were ruled unconstitutional, or if a federal privacy law pre-empted it.

Is CPRA Effective?

There is an adjustment period now that CPRA has passed. Most of the significant provisions won’t take effect for two more years — on January 1 of 2023. This gives businesses that are affected enough time to make necessary changes. The “Right to Know” provision of the law takes effect a year earlier, on the first of 2022.

In the meantime, businesses have to comply with the current CCPA until the CPRA is fully in effect.

What Are the Differences Between CPRA and CCPA?

There are several ways that the new law differs from the original one. It seeks to take consumer privacy one step further in many cases.

There are ten primary areas where the two are different.

1. Business Regulations

A “covered business” is redefined under CPRA. In some instances, the number of businesses covered will decrease from CCPA, while in others, it will increase. That’s because:

  • It will not be applied to as many small and mid-sized businesses as CCPA because the threshold for the number of households/consumers has been increased from 50,000 to 100,000.
  • Businesses that buy, sell, or share personal information are subject to the new CPRA. Companies that get at least half of their yearly revenue in this way are subject to the law.

2. Sensitive Personal Information

The law creates an entirely new dataset known as “sensitive personal information.” It’s now subject to full disclosure and limitation. Consumers also now have the right to limit the use of their personal information by businesses.

CCPA is much broader in how it treats sensitive personal information, but not so for CPRA. There are separate restrictions and requirements on this type of information, including:

  • A requirement to offer an opt-out for both disclosure and use of it
  • A required opt-in consent standard for disclosure and use of it
  • A requirement that limits the purpose of use
  • A requirement on full disclosure

See the differences between various privacy laws below.

3. New and Expanded Rights

CPRA not only modifies some of the privacy rights California consumers have under CCPA; it also creates brand new ones.

Some of the modified rights include:

  • Businesses have to notify third parties that they must delete personal information they buy or receive.
  • Data applicable under “Right to Know” is now expanded beyond just the previous 12 months if collected after January 1 of 2022.
  • Opt-outs must also include the sharing of personal information, not just the sale of it to third parties.
  • Businesses have to abide by the same opt-in selling rights to minors. In other words, they now must wait at least 12 months after a minor has declined to sell/share their personal information.
  • Consumers can request their personal information be transmitted in a specific way — as long as it is commonly used and structured.

Some of the new rights include:

  • Consumers can request corrections if any of their personal information is wrong.
  • Consumers can opt-out of technology that makes decision-making regarding personal information automated. In other words, they can’t be profiled based on a consumer’s health, interests, location, economic situation, etc.
  • Consumers can also request information about any automated decision-making technology.
  • Consumers can limit the use of their sensitive personal information. They can ban businesses from sending it to third parties altogether.
  • Cybersecurity audits and risk assessments are now mandatory for any activity that is labeled high-risk. These audits have to be submitted regularly to the California Privacy Protection Agency.

4. Behavioral Advertising

CPRA seeks to regulate all digital advertising. It will now separate digital advertising into two categories — non-personalized and cross-context behavioral.

Personal information that businesses want to share for cross-context behavior must be subject to the Right to Opt-Out, while the other is not. This first-party advertising, as it’s called, is designated for internal business use.

There were already many businesses who were treating the Right to Opt-Out under CCPA this way. So, they won’t be required to make many changes, if any at all, in this regard.

5. New Authority

CPRA will establish a new agency that will be tasked with enforcing the law. It will be called the California Privacy Protection Agency, or CPPA. The new body will have the power to make rules, enforce rules, and investigate instances of non-compliance.

Also, there will no longer be a 30-day “cure period,” as there is under the current CCPA. This means that once a business is notified of a potential violation by the state attorney general’s office, they must act right away.

This new law will also increase maximum penalties up to $7,500 for any violation that concerns a minor. That’s triple the current maximum under the CCPA.

6. GDPR Alignment

Some of the CPRA is structured after the General Data Protection Regulation (GDPR) law that has been in effect in Europe since 2018. The three main areas that are now codified are:

  • Data: Businesses have to limit the collection, retention, sharing, and use of personal information only to what is considered “reasonably necessary and proportionate” to their purpose. It also can’t be processed for undisclosed and/or incompatible uses.
  • Storage: Businesses always have to tell consumers how long they’re retaining their personal information, and they must do this for every category of personal information. They also can’t hold onto the information for longer than “reasonably necessary” for each purpose they disclose.
  • Purpose: If a business wants to change a purpose for why they collect and/or use personal information, they must issue a new consumer notice.

Businesses that don’t comply are now also subject to enforcement through the newly-created CPPA. A violation of any three of these codes is enough for enforcement, even if no other offense is committed.

7. Service Providers

CPRA creates a new category of businesses called “contractors,” which amends the definition of a “service provider.” Contractors must now not only abide by these regulations, but they must state that they understand them and will abide by them.

They must notify businesses if they work with any sub-contractor sub-service provider, and those parties must abide by the same rules in a similar written contract.

These contractors and service providers must help businesses if a consumer makes a request for privacy. Finally, companies have to hold service providers/contractors accountable (via contract) from combining the personal information they receive with other collected data.

8. Exemptions

The CPRA did grant some leeway to the state Legislature to work on regulations about business-to-business and employee exemptions. They now have until the start of 2023 to do so through a new bill. The Legislature could, of course, try to challenge this aspect of the CPRA, but they’d be in for a fight if they indeed tried to do so.

9. Consent Standard

A consent standard existed under CCPA, but it will now more closely align with the definition laid out under GDPR. This makes it much stricter, although some of this already existed under CCPA.

It includes:

  • Research exemptions
  • Financial incentive programs and an opt-in consent
  • Consent to disclosure and use by a secondary firm after already opting out
  • Minors having the power to opt-in to their personal information being shared or sold
  • Consent required to sell or share personal information following an opt-out

10. Data Breaches

The CCPA already has a private right of action in place for data breaches, and CPRA doesn’t alter that in any way.

What’s Next?

CPRA becomes fully effective on the first day of 2021. Starting around the mid-point of next year, the process of officially making the rules will begin. The Legislature has until July 1 of 2022, to adopt the final regulations under CPRA. One year after that, the CPPA will have full authority to enforce the new law.

CPRA is set to alter and expand California consumers’ privacy rights over the next few years. But there’s still a ways to go before everything is entirely in effect.

Turn Waves Of Regulation Into Oceans Of Opportunity with CAPP.

New regulations governing the use of consumer’s personally identifiable information (PII) needn’t be burdensome.  In fact, they can help protect your organization, reduce operating expenses, and identify opportunities for better governance that ensure you avoid fines, litigation exposure, and foster trust that enhances customer experiences. To learn more about how Compliance & Privacy Partners can help prepare you for the new wave of privacy regulations reach out to us at 323-413-7432 or email us at support@capp-llc.com for a free consultation with a Certified Information Privacy Manager.

What is the California Privacy Protection Agency?

One of the main changes brought about by the California Privacy Rights Act is the establishment of the California Privacy Protection Agency as an “independent watchdog” whose mission is both to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.”

The CPPA will be governed by a five‐member board and, although the CPRA provides for a 90-day window for appointments, it is expected the board members will be announced by the end of January 2021. The board will select a chairman and hire an executive director shortly thereafter.

In terms of the mandate, the CPPA will significantly go beyond the functions currently performed by the California Attorney General’s Office. In addition to enforcement and rulemaking, the CPPA will have an important educational function.

In terms of rulemaking, the CPRA requires rulemaking regarding three times as many issues as the CCPA. During 2021 and 2022, it is expected the new agency will undertake not only the update of the existing CCPA rules, but also the issuance of new ones addressing areas such as:

  • The specifics of opt-out mechanisms from “selling and “sharing” for cross-context behavioral advertising purposes with the goal of promoting clarity and ensuring such mechanisms are consumer-friendly.
  • How often and under what circumstances consumers may request the correction of their personal information, including defining the exceptions to the right to correct and how accuracy concerns may be resolved. As the existing personnel data carve-out will expire at the time the CPRA goes into effect, the rules will likely address the mechanics of correction request in the context of employment-related personal information.
  • The standard governing whether, in response to an access request, businesses will be required to provide information beyond the 12-month look-back window.
  • The standards for annual cybersecurity audits and risk assessments that may have to be conducted by businesses whose processing activities present “significant risks.”
  • Access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.

In addition, the CPPA “is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act.” However, as opposed to the U.S. Federal Trade Commission authority under Section 5 of the Federal Trade Commission Act, the CPPA will be able to impose fines for violations that do not rise to “knowing” violations. The fines that the CPPA may impose are identical to the ones that apply under CCPA, except that violations that relate to the data of minors are tripled (to $7,500 per violation). CPPA enforcement will not start until six months after the CPRA goes into effect July 1, 2023. It is important to note that the California attorney general retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA.

The CPPA will appoint a chief privacy auditor to conduct audits of businesses to ensure compliance with the CPRA. In addition, because the CPPA will have the power to cooperate with other privacy enforcement agencies in the state, as well as in “other states, territories, and countries,” it is expected that it will coordinate its investigatory actions with regulators in other jurisdictions, including European data protection authorities.

The CPPA will have an educational function and is charged with promoting “public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” This includes providing guidelines not only for consumers, but also for businesses with regards to their duties under the CPRA. The CPPA also has the power to award grants from its budget for educational purposes.

Finally, upon request, the CPPA will provide technical assistance and advice to the California Legislature with respect to privacy‐related legislation, “monitor” the developments in the field of personal information protection, and establish a mechanism for organizations that are not subject to the CPRA to voluntarily self-certify compliance.

In sum, the CPPA is set to become a key privacy regulator not only in California, but across the U.S. and the globe.


Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of a third set of proposed modifications made to the regulations regarding the California Consumer Privacy Act.    

The Department first published and noticed the proposed regulations for public comment on October 11, 2019.  On February 10, 2020 and March 11, 2020, the Department gave notice of modifications to the proposed regulations, based on comments received during the relevant comment periods.  The Department withdrew the following sections from the review of the Office Administrative Law (OAL) pursuant to Government Code section 11349.3, subd. (c):  999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c).  OAL approved the other sections submitted by the Department, effective August 14, 2020, and these provisions became final.

The modifications are indicated by bold blue underline for proposed additions and red strike out for proposed deletions to the regulations that became effective on August 14, 2020.  This third set of modifications include the following changes:

  • Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
  • Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps.  It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
  • Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
  • Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.

This Notice, the text of the third set of proposed modifications to the regulations, and a comparison of the text as approved by the Office of Administrative Law with the currently proposed modifications are available at www.oag.ca.gov/privacy/ccpa/current.  The originally proposed regulations and all documents relating to the rulemaking package, including previous modifications to the proposed regulations, are also available at this website.

The Department will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Please limit comments to the additions indicated in bold blue underline and the deletions indicated in red strike out.  All written comments on the underlined changes must be submitted to the Department no later than 5:00 p.m. on October 28, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail to the address listed below.

Tomorrow’s Jobs Today: Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy and More To Be Published by John Hunt in 2021

Tomorrow’s Jobs Today: Available April 2021 

Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy and More

Discover leadership secrets and technology strategies being pioneered by today’s most innovative business executives and renowned brands across the globe in this entertaining collection of interviews and stories exploring new careers of the Information Age.

Design your career for tomorrow with wisdom from leaders whose shoulders you stand on today. 

This collection of in-depth profiles featuring Smart City CIOs, Data Protection Officers, Blockchain CEO’s, Informatics Doctors and other diverse, skilled professionals gives readers first-hand insight into what tomorrow’s jobs look like today. The hands-on experiences, subject matter expertise, and measured job advice shared within these pages demonstrate how identifying opportunities, setting the right cadence, and building strong relationships are the essential ingredients to unlocking your future’s potential.

This book is for the new graduate, the professional between jobs and the doting parents desperate to get their “brilliant” but lazy kid out of the basement. It’s also for senior corporate leaders seeking an intimate understanding of the changes abounding in their organizations. It’s for the manager who wants to inspire and encourage professional development. And it’s for every knowledge worker out there who wants to leverage technology and information governance to reduce risk, generate revenue, and improve customer experiences.

Tomorrow’s Jobs Today is not for those who cower in the face of robots, coding, and automation. It’s a resource for people like you who recognize that the jobs of the future are very much here today and ours to adapt to. By absorbing the perspectives, challenges, and solutions of those deeply in love and accomplished in these new careers, we can help ourselves, our friends and our employees transform anxiety over a job search, job loss or just the winds of change into hope, understanding, and opportunity.

Sign up for updates on the book below!

It’s Not The Crime, It’s The Cover Up – Former Uber Security Chief Charged Over Covering Up 2016 Data Breach

The federal prosecutors in the United States have charged Uber’s former chief security officer, Joe Sullivan, for covering up a massive data breach that the ride-hailing company suffered in 2016.

According to the press release published by the U.S. Department of Justice, Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach” that also involved paying hackers $100,000 ransom to keep the incident secret.

“A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies,” it says.

The 2016 Uber’s data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driver license numbers of around 600,000 drivers.

The company revealed this information to the public almost a year later in 2017, immediately after Sullivan left his job at Uber in November.

Later it was reported that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were behind the incident to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.

All this started when Sullivan, as a representative for Uber, in 2016 was responding to FTC inquiries regarding a previous data breach incident in 2014, and during the same time, Brandon and Vasile contacted him regarding the new data breach.

“On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again.”

“Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email. Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.”

According to court documents, the ransom amount was paid through a bug bounty program in an attempt to document the blackmailing payment as bounty for white-hat hackers who point out security issues but have not compromised data.

“Uber paid the hackers $100,000 in BitCoin in December 2016, despite the fact that the hackers refused to provide their true names (at that time),” federal prosecutors said. “In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data.”

“Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”

Just last year, both hackers were pleaded guilty to several counts of charges for hacking and blackmailing Uber, LinkedIn, and other U.S. corporations.

In 2018, British and Dutch data protection regulators also fined Uber with $1.1 million for failing to protect its customers’ personal information during a 2016 cyber attack.

Now, if Sullivan found guilty of cover-up charges, he could face up to eight years in prison, as well as potential fines of up to $500,000.

Approval of Final Regulations Under the California Consumer Privacy Act

California Attorney General Xavier Becerra today announced approval by the Office of Administrative Law (OAL) of final regulations under the California Consumer Privacy Act (CCPA). Proposed final regulations were submitted to the OAL by Attorney General Becerra on June 1, 2020. During OAL’s review process, additional revisions were made to the proposed regulations. The approved regulations go into effect immediately.

“In California, privacy is an inalienable right. Californians should control who possesses their personal data and how it’s used,” said Attorney General Becerra. “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”

CCPA was signed into law on June 28, 2018, and was further amended on September 23, 2018 by SB 1121 and on October 11, 2019 by AB 25, AB 874, AB 1146, AB 1355, and AB 1564. The law went into effect on January 1, 2020. CCPA grants California consumers robust data privacy rights and control over their personal information including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, and includes additional protections for minors. The regulations establish procedures for compliance and exercise of rights, as well as clarifying important transparency and accountability mechanisms for businesses subject to the law.

The regulations approved by OAL were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

A copy of the approved final regulations can be found here.

California Privacy Act – What Businesses Need To Do, Now.

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

  • Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
  • Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
  • Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
  • Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
  • User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
  • Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
  • No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

Read the latest regulations here.

Privacy Shield Update from the Federal Trade Commission

On July 16, 2020, the European Court of Justice issued a judgment declaring invalid the European Commission’s Decision 2016/1250/EC of July 12, 2016 on the adequacy of the EU-U.S. Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers. Updated on July 21st, 2020.

PrivacyCon 2020 | Federal Trade Commission

The FTC will host its fifth annual PrivacyCon on July 21, 2020. For PrivacyCon 2020, the FTC is seeking research presentations on any topic related to consumer privacy and security. However, we will focus in particular on the privacy of health data collected, stored, and transmitted by mobile applications (“apps”). The call for presentations saught empirical research responding to several questions, including:

What are the risks to consumer data, particularly data held by health apps, and how does the risk vary by product and data type?
Which products are transmitting user data to third parties, who are the recipients, what are the data, and what are the apparent purposes for these transmissions?
Has empirical work assessed consumer perception of the privacy and security of products that handle sensitive information? What factors affect that perception (e.g., endorsement by a credible organization, popularity, representations in the privacy policy, claims in a user interface, paid versus non-paid version)? Are consumer perceptions of the privacy and security of products accurate? How do we know?
What are the tradeoffs between product functionality (including the ability to combine data from various devices) and increased security or increased privacy protections?
Are there unique attributes or characteristics of apps that collect, store, or transmit health data that merit special attention or focus?
The deadline for submissions was April 10, 2020.

PrivacyCon is free and open to the public.

This event will be held online.

via PrivacyCon 2020 | Federal Trade Commission

Simplify For Success

There is tremendous value to simplification. To quote Steve jobs, “Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it is worth it in the end because once you get there, you can move mountains.” We wanted to explore how people and companies achieve simplification in this series of posts.

Data is complex but our solution to managing data need not be complex. Can simplifying what we are doing help us to do more with less?

Simplification is a key focus for many companies and everyone understands how eliminating unnecessary complexity can lead to more successful outcomes. But achieving simplicity is hard. So why is simple not easy and obvious?

First, lack of time to simplify. Your processes or products can get more complex over time as new aspects are introduced. Or your first iteration to achieve your objectives might not be the simplest version – but you are in a time crunch to get that first product or prototype out of the door. In either case, you realize there might be simpler ways to achieve what you are doing, but you just do not have the time to step back and possibly disrupt your current state while redesigning and rebuilding a simpler and a more straight forward version. Again to quote Steve Jobs, “When you first start off trying to solve a problem, the first solutions you come up with are very complex, and most people stop there. But if you keep going, and live with the problem and peel more layers of the onion off, you can often times arrive at some very elegant and simple solutions.”

Second, a perception that simple might be inferior. Often detailed and sophisticated problems require complex solutions. A solution might feel basic or inadequate or not good enough. The thinking can be when the problem we are solving is obviously complex, shouldn’t the solution also be complex?

Finally, simplification efforts get held back by lack of clarity. Clarity around exactly what needs to done and clarity around what exactly is being done in each step of the process. Once that clarity is available, it is easier to eliminate processes or steps that are not adding value and only focus on those that are doing what needs to be done. But this is easier said than done.

So what do you think is the best way to simplify? How does your company view simplification? is the right approach to re-configuring processes to streamline and eliminate unnecessary or repeated parts of the process. Or do you see better results when you start from an innovation focused approach to simplification. Are new advances in technology or radical redesign the only way you can simplify?

If you would like to share your thoughts please let us know.

via Simplify For Success

FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

via FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

The Federal Trade Commission has released the final agenda for its fifth annual PrivacyCon event, which will be held online on July 21, 2020.

PrivacyCon 2020 will bring together a diverse group of stakeholders to discuss the latest research and trends related to consumer privacy and data security.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, will give opening remarks to kick off the event and will be followed by six panel discussions. The three morning sessions will focus on research related to health apps, artificial intelligence, and Internet of Things devices. The three afternoon sessions will feature discussions on research related to the privacy and security of specific technologies such as digital cameras and virtual assistants, international privacy, and miscellaneous privacy and security issues.

Links to the research that will be presented at PrivacyCon 2020 are available on the event page. PrivacyCon will take place online from 9 a.m. ET to 5 p.m ET. A link to view PrivacyCon 2020 will be posted on the event page prior to the start of the event. Registration is not required.

CCPA Proposed Regulations Submitted to the Office of Administrative Law

California Attorney General Xavier Becerra submitted final proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will provide guidance to businesses on how to comply with the CCPA and will enable consumers to exercise new rights over their personal information. Under Executive Order N-40-20 related to the COVID-19 pandemic, OAL has 30 working days and an additional 60 calendar days to determine whether the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

A copy of the complete rulemaking package submitted to OAL, including a text of the regulations, can be found at www.oag.ca.gov/ccpa.

The final proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

The short answer? A lot, but not as much as you might have been told…

via So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

ILTA Blackberry and CAPP Presentation

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

CCPA Regulations Update


Update to Proposed Text

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of changes made to the proposed regulations regarding the California Consumer Privacy Act, which were published and noticed for public comment on October 11, 2019.  These changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.  The originally proposed regulations, this Notice, the text of the proposed regulations as modified, and a comparison of the text as originally proposed with the modifications, are available at www.oag.ca.gov/privacy/ccpa.

Update to Documents and Other Information Relied Upon

Pursuant to the requirements of Government Code sections 11346.8, subdivision (d), 11346.9, subdivision (a)(1), and 11347.1, the Department is also providing notice that documents and other information which the Department has relied upon in adopting the proposed regulations have been added to the rulemaking file and are available for public inspection and comment.

The documents and information added to the rulemaking file are as follows:

Accenture Interactive, See people, not patterns. (2019). Available at https://www.accenture.com/_acnmedia/PDF-110/Accenture-See-People-Not-Patterns.pdf.

Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).

Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).  Available at https://iapp.org/news/a/how-the-ccpa-impacts-civil-litigation/#.

Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360.  Available at https://www.law360.com/articles/1202393/print?section=california.

Paternoster, Leon, Getting round GDPR with dark patters. A case study: Techradar (August 12, 2018).  Available at https://www.leonpaternoster.com/posts/techradar-gdpr/.

Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.  Available at https://www.caprivacy.org/post/icymi-summary-of-key-findings-from-california-privacy-survey.

World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018).  Available at https://www.w3.org/TR/2018/REC-WCAG21-20180605/.

The Department is also providing notice that it will not be including the following study in the rulemaking file.

Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt (March 6, 2019).

The entire rulemaking file, which includes the documents referenced above, is available for inspection and copying throughout the rulemaking process during business hours at the location listed below.  In addition, some of the documents are available at www.oag.ca.gov/privacy/ccpa.

The Department will accept written comments regarding the proposed changes or materials added to the rulemaking file between Friday, February 7, 2020 and Monday, February 24, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on February 24, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: PrivacyRegulations@doj.ca.gov

All timely comments received that pertain to the changes to the proposed regulations or the new materials added will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file.  Please limit written comments to those items.

NSA Releases Guidance on Mitigating Cloud Vulnerabilities

Original release date: January 24, 2020

The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA’s guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers and Analysis Report on Microsoft Office 365 and other Cloud Security Observations for information on implementing a defense-in-depth strategy to protect infrastructure assets.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with California Tech Company Related to Privacy Shield

The Federal Trade Commission has finalized a settlement with a California technology company over allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

The FTC alleged that Medable, Inc., falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

After receiving no comments on the proposed settlement, the Commission voted 5-0 to give final approval to the settlement.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with Utah Company and its former CEO over Allegations they Failed to Safeguard Consumer Data

The Federal Trade Commission has granted final approval to a settlement with a Utah-based technology company related to allegations that the firm failed to put in place reasonable security safeguards, allowing a hacker to access the personal information of more than a million consumers.

The FTC alleged that InfoTrax Systems, L.C. and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of InfoTrax’s business clients. As a result of the company’s alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. The hacker accessed consumers’ sensitive personal information, including Social Security numbers, according to the FTC’s complaint.

As part of the settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. In addition, the settlement requires the company and Rawlins to obtain third-party assessments of their companies’ information security programs every two years.

After receiving no comments on the settlement, the Commission voted 5-0 to finalize the settlement order with InfoTrax and Rawlins.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

The Federal Trade Commission has granted final approval to a settlement with the former CEO of Cambridge Analytica, LLC and an app developer who worked with the company to resolve allegations they used deceptive tactics to collect personal information from tens of millions of Facebook users for voter profiling and targeting.

In its complaint, the FTC alleged that app developer Aleksandr Kogan worked with Cambridge Analytica and its former CEO Alexander Nix to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The FTC alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The Commission recently announced an Opinion that found that Cambridge Analytica, which filed for bankruptcy in 2018, engaged in similar conduct in violation of the FTC Act.

As part of the settlement, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.

The Commission received one comment on the proposed settlement. The Commission voted 5-0 to finalize the order and to send a response to the commenter.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

5 Ideas To Kickstart Your Governance, Risk and Compliance Program in the New Year!

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders

ICRM will not only conduct their spring Board and Business meetings at the MER Conference next May in Chicago, but will also facilitate a panel discussion  “Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders.” 

The panel of experts include: John Isaza, Esq, FAI, Rafael Moscatel, CRM, IGP, CIPM, and Wendy McLain, MLIS, CRM.  The panel of Academic Partners include: Patricia Franks, Ph.D, CRM, CA, IGP – San Jose State University; Gregory S. Hunter, Ph.D, CA, CRM, FSAA – Long Island University, Palmer School of Library and Information Science, and Tao Jin, Ph.D – Louisiana State University, School of Library and Information Science.

The desired outcome is to expand and nurture an ongoing and productive dialogue between our profession and academic institutions to ensure graduates are well prepared to fill current and future positions in key areas of Records and Information Management (RIM) and Information Governance (IG).  If interested in joining us at the MER Conference – go to their website and register for conference.  https://www.merconference.com/

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.