California Privacy Act – What Businesses Need To Do, Now.

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

  • Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
  • Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
  • Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
  • Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
  • User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
  • Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
  • No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

Privacy Shield Update from the Federal Trade Commission

On July 16, 2020, the European Court of Justice issued a judgment declaring invalid the European Commission’s Decision 2016/1250/EC of July 12, 2016 on the adequacy of the EU-U.S. Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers. Updated on July 21st, 2020.

PrivacyCon 2020 | Federal Trade Commission

The FTC will host its fifth annual PrivacyCon on July 21, 2020. For PrivacyCon 2020, the FTC is seeking research presentations on any topic related to consumer privacy and security. However, we will focus in particular on the privacy of health data collected, stored, and transmitted by mobile applications (“apps”). The call for presentations saught empirical research responding to several questions, including:

What are the risks to consumer data, particularly data held by health apps, and how does the risk vary by product and data type?
Which products are transmitting user data to third parties, who are the recipients, what are the data, and what are the apparent purposes for these transmissions?
Has empirical work assessed consumer perception of the privacy and security of products that handle sensitive information? What factors affect that perception (e.g., endorsement by a credible organization, popularity, representations in the privacy policy, claims in a user interface, paid versus non-paid version)? Are consumer perceptions of the privacy and security of products accurate? How do we know?
What are the tradeoffs between product functionality (including the ability to combine data from various devices) and increased security or increased privacy protections?
Are there unique attributes or characteristics of apps that collect, store, or transmit health data that merit special attention or focus?
The deadline for submissions was April 10, 2020.

PrivacyCon is free and open to the public.

This event will be held online.

via PrivacyCon 2020 | Federal Trade Commission

FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

via FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

The Federal Trade Commission has released the final agenda for its fifth annual PrivacyCon event, which will be held online on July 21, 2020.

PrivacyCon 2020 will bring together a diverse group of stakeholders to discuss the latest research and trends related to consumer privacy and data security.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, will give opening remarks to kick off the event and will be followed by six panel discussions. The three morning sessions will focus on research related to health apps, artificial intelligence, and Internet of Things devices. The three afternoon sessions will feature discussions on research related to the privacy and security of specific technologies such as digital cameras and virtual assistants, international privacy, and miscellaneous privacy and security issues.

Links to the research that will be presented at PrivacyCon 2020 are available on the event page. PrivacyCon will take place online from 9 a.m. ET to 5 p.m ET. A link to view PrivacyCon 2020 will be posted on the event page prior to the start of the event. Registration is not required.

CCPA Proposed Regulations Submitted to the Office of Administrative Law

California Attorney General Xavier Becerra submitted final proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will provide guidance to businesses on how to comply with the CCPA and will enable consumers to exercise new rights over their personal information. Under Executive Order N-40-20 related to the COVID-19 pandemic, OAL has 30 working days and an additional 60 calendar days to determine whether the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

A copy of the complete rulemaking package submitted to OAL, including a text of the regulations, can be found at www.oag.ca.gov/ccpa.

The final proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

The short answer? A lot, but not as much as you might have been told…

via So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

ILTA Blackberry and CAPP Presentation

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

Slide4
CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

CCPA Regulations Update

NOTICE OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS AND ADDITION OF DOCUMENTS AND INFORMATION TO RULEMAKING FILE

Update to Proposed Text

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of changes made to the proposed regulations regarding the California Consumer Privacy Act, which were published and noticed for public comment on October 11, 2019.  These changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.  The originally proposed regulations, this Notice, the text of the proposed regulations as modified, and a comparison of the text as originally proposed with the modifications, are available at www.oag.ca.gov/privacy/ccpa.

Update to Documents and Other Information Relied Upon

Pursuant to the requirements of Government Code sections 11346.8, subdivision (d), 11346.9, subdivision (a)(1), and 11347.1, the Department is also providing notice that documents and other information which the Department has relied upon in adopting the proposed regulations have been added to the rulemaking file and are available for public inspection and comment.

The documents and information added to the rulemaking file are as follows:

Accenture Interactive, See people, not patterns. (2019). Available at https://www.accenture.com/_acnmedia/PDF-110/Accenture-See-People-Not-Patterns.pdf.

Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).

Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).  Available at https://iapp.org/news/a/how-the-ccpa-impacts-civil-litigation/#.

Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360.  Available at https://www.law360.com/articles/1202393/print?section=california.

Paternoster, Leon, Getting round GDPR with dark patters. A case study: Techradar (August 12, 2018).  Available at https://www.leonpaternoster.com/posts/techradar-gdpr/.

Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.  Available at https://www.caprivacy.org/post/icymi-summary-of-key-findings-from-california-privacy-survey.

World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018).  Available at https://www.w3.org/TR/2018/REC-WCAG21-20180605/.

The Department is also providing notice that it will not be including the following study in the rulemaking file.

Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt (March 6, 2019).

The entire rulemaking file, which includes the documents referenced above, is available for inspection and copying throughout the rulemaking process during business hours at the location listed below.  In addition, some of the documents are available at www.oag.ca.gov/privacy/ccpa.

The Department will accept written comments regarding the proposed changes or materials added to the rulemaking file between Friday, February 7, 2020 and Monday, February 24, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on February 24, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: PrivacyRegulations@doj.ca.gov

All timely comments received that pertain to the changes to the proposed regulations or the new materials added will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file.  Please limit written comments to those items.

FTC Finalizes Settlement with California Tech Company Related to Privacy Shield

The Federal Trade Commission has finalized a settlement with a California technology company over allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

The FTC alleged that Medable, Inc., falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

After receiving no comments on the proposed settlement, the Commission voted 5-0 to give final approval to the settlement.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with Utah Company and its former CEO over Allegations they Failed to Safeguard Consumer Data

The Federal Trade Commission has granted final approval to a settlement with a Utah-based technology company related to allegations that the firm failed to put in place reasonable security safeguards, allowing a hacker to access the personal information of more than a million consumers.

The FTC alleged that InfoTrax Systems, L.C. and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of InfoTrax’s business clients. As a result of the company’s alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. The hacker accessed consumers’ sensitive personal information, including Social Security numbers, according to the FTC’s complaint.

As part of the settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. In addition, the settlement requires the company and Rawlins to obtain third-party assessments of their companies’ information security programs every two years.

After receiving no comments on the settlement, the Commission voted 5-0 to finalize the settlement order with InfoTrax and Rawlins.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

The Federal Trade Commission has granted final approval to a settlement with the former CEO of Cambridge Analytica, LLC and an app developer who worked with the company to resolve allegations they used deceptive tactics to collect personal information from tens of millions of Facebook users for voter profiling and targeting.

In its complaint, the FTC alleged that app developer Aleksandr Kogan worked with Cambridge Analytica and its former CEO Alexander Nix to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The FTC alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The Commission recently announced an Opinion that found that Cambridge Analytica, which filed for bankruptcy in 2018, engaged in similar conduct in violation of the FTC Act.

As part of the settlement, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.

The Commission received one comment on the proposed settlement. The Commission voted 5-0 to finalize the order and to send a response to the commenter.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield

The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.

In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.

The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.

The Commission voted 5-0 to issue the Opinion and Final Order.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Announces Settlements with Four Companies Related to Allegations they Deceived Consumers over Participation in the EU-U.S. Privacy Shield

The Federal Trade Commission has reached settlements with four companies that allegedly misrepresented their participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States. The FTC also alleged that two of the companies failed to comply with Privacy Shield requirements.

In separate actions, the FTC settled Privacy Shield cases against:

In addition to allegations that each company falsely claimed to participate in the EU-U.S. Privacy Shield framework, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.

In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

“The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.”

The Department of Commerce administers both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, while the FTC enforces the promises companies make when joining the programs. With today’s announcement, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016.

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the four companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

CCPA Rulemaking Activities – Upcoming Hearings

CPA Rulemaking Activities – Upcoming Hearings

On October 10, 2018, the Attorney General released proposed regulations for the California Consumer Privacy Act of 2018 (CCPA).  The California Department of Justice (DOJ) will hold four public hearings to provide all interested persons the opportunity to present statements or comments on the proposed regulations, as detailed below.  The hearings will begin promptly at 10:00 a.m. and will conclude when the last speaker has finished their presentation.  Please note that attendees may be required to go through building security before entering each venue.  For more information about the public hearings, and to RSVP, please visit: https://www.oag.ca.gov/privacy/ccpa/rsvp.

The deadline to submit written comments is December 6, 2019 at 5:00 p.m. (PST).  Comments may be submitted via email (PrivacyRegulations@doj.ca.gov), mail (Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013), or at the public hearings.

Please visit www.oag.ca.gov/privacy/ccpa for information about the DOJ’s CCPA rulemaking process, including the following newly added pdfs:  Tips on Submitting Effective Comments and Information about the Rulemaking Process.

PUBLIC HEARING DATES

Sacramento
December 2, 2019; 10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814

Los Angeles
December 3, 2019; 10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013

San Francisco
December 4, 2019; 10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102

Fresno
December 5, 2019; 10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

A California company has agreed to settle Federal Trade Commission allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

In its complaint, the FTC alleged that Medable, Inc.—which provides technology solutions to business customers operating in pharmaceutical, biotechnology, and research industries—falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. While the company initiated an application with the Department of Commerce in December 2017, it did not complete the steps necessary to participate in the framework.

The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program. With today’s announcement, the FTC has now brought a total of 17 enforcement actions related to the Privacy Shield framework since it was established in 2016.

As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with Medable was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

Google pushes out important updates about the California Consumer Privacy Act (CCPA)

On Monday, November 18th, Google AdSense pushed out the following updates regarding the California Consumer Privacy Act:

from Google:

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect personal information from California residents. The new law goes into effect on January 1, 2020.
Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.
These service provider terms will be made available alongside new tools for partners to enable restricted data processing. Restricted data processing is intended to help partners prepare for CCPA. Some partners may decide to send a restricted data processing signal for users who click a CCPA opt-out link. Other partners may decide to enable restricted data processing for all users in California via a control in our products. Subject to the service provider terms, we will act as your CCPA service provider with respect to data processed while restricted data processing is enabled. You can refer to this article for more information on restricted data processing and to determine whether restricted data processing meets your CCPA compliance needs. Please also refer to our Help Center articles for Ad ManagerAdMobAdSense for more information on enabling restricted data processing.
Please see privacy.google.com/businesses for more information about Google’s data privacy policies.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

FTC Slaps InfoTrax and its CEO with Severe Cybersecurity Order

Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

As a result, hacker gained access to personal information of a million consumers, agency says

via FTC Press Release

A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.

InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.

In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:

  • inventory and delete personal information it no longer needed;
  • conduct code review of its software and testing of its network;
  • detect malicious file uploads;
  • adequately segment its network; and
  • implement cybersecurity safeguards to detect unusual activity on its network.

In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”

As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.

InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.

The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.

As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

Great Scott! A True Story Illustrating the Importance of Ethics in Privacy and Records Management

Truth is stranger than fiction…

There’s a memorable scene in Back to the Future 3 where Marty receives a Western Union telegraph from Doc almost a century after it was originally mailed, warning him of events to come. Seems an unlikely possibility that any organization would honor such a request to preserve, protect and deliver documents for so long. However, that’s exactly what happens every day, all over the world, and it happened to me only a few years ago when I found out I was adopted at the age of 33! The experience was so life changing that I made a film about it which is finally available this month on Amazon and Itunes.

The Little Girl with the Big Voice, A Documentary on iTunes

The State of California, to whom I wrote a letter verifying my identification, swiftly wrote me back with a manila envelope containing a treasure trove of documents gathered from multiple state agencies. In the package were details from social workers, hospitals, doctors and even notes from my biological parents! They were all free of charge and kept under seal for over three decades! We take these systems for granted nowadays but can you imagine how effective a system must be to protect my information for this long, over so many administrations and to do it largely without computers? What really makes these processes work is not technology of course, it’s people. But what motivates these people to do such a thing?

Adoption details from the State of California

An honorable discipline based on ethics.

I’ll tell you what my own epiphany was, as somebody who works in the fields of Information Governance and Privacy… and that was that record keeping, and those who perform it, are part of the ethical backbone that so much of our society relies on. This often thankless discipline codifies and exemplifies the altruistic commitment we have, and must continue to have to one other. It’s a commitment to value the records and history that tell us who we are and a pledge to protect those records as a matter of ethics ethics and common values. It’s one of the reasons Archives and Records Management has been a passion of mine for so many years.

What can we, as information managers, learn from all of this?

With Joe Franklin

The new era of Privacy is a boon for Records Management because it underscores the truth that the most important data and records are not just necessary for business continuity, death and taxes but are personal. The return of the discussion of privacy as a fundamental right is not new of course. It’s written into the Constitution in the 4th Amendment. It has been defined historically through almost all cultures and even has biblical roots. Privacy a gift that we’re just beginning to learn how to appreciate again and a silver lining in a world struggling so hard to protect it.

So, how much is this damn CCPA thing gonna #$@&%* cost me?!

The short answer? A lot, but not as much as you might have been told…

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

ILTA Blackberry and CAPP Presentation
At the San Diego ILTA Presentation of “Preparing for the California Consumer Privacy Act”

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

Slide4
CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

California Dreamin’ – A Free Roadmap For your CCPA Journey

What is the CCPA and why should you care?

In response to recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size. Yet each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.


What you need to know and do to ensure compliance with California’s new Consumer Privacy Act

New regulations governing use of customer and personal data needn’t be burdensome.  Rather, they help reduce expenses and monetize the information lifecycle, identify opportunities for better governance to avoid fines and litigation exposure and foster trust to enhance customer experiences. Download this FREE detailed CCPA roadmap to see how you can get your company on the path to compliance.


This slideshow requires JavaScript.

Our CCPA and GDPR engagements include:

  • Data and resource mapping
  • Conducting gap and risk assessments
  • Controls evaluation to standards
  • Establishing governance with clearly defined roles and responsibilities
  • Policies and procedures review
  • Domestic and International legal review of privacy and security policies to fit the organization’s risk profile and culture
  • Consumer data request and delivery mechanism (including website notices)
  • Providing education and training
  • Design of role-based access control (RBAC) rights
  • Privacy impact assessment (PIA/DPIA) during product design

Third Party Due Diligence Support

  • Pre-contract due diligence and consulting
  • Cloud services guidance
  • Managed security services (build or buy guidance)
  • Third-party management program/policy

Our consulting and software solutions enable clients to comply with CCPA provisions 1798.110(a)(4), 1798.100, 1798.105, 1798.110, 1798.120, 1798.145, 1798.140, 1798.150


Call us today to see how we can help you with:

  • California Consumer Privacy Act of 2018, Amendments and Rulemaking
  • HIPAA/HITECH Security, Privacy and Breach Notification Rules
  • Generally Accepted Privacy Principles (GAPP)
  • EU’s General Data Protection Regulation (GDPR)
  • ISO/IEC 27001-2:2013
  • CIS Top 20 Critical Security Controls (CA AG requires)
  • SEC OCIE Cybersecurity Initiative
  • NIST Cybersecurity Framework
  • U.S. Sentencing/DOJ/OIG Guidelines for Effective Compliance (program foundation)
  • Applying Risk Management Program Management and Principles

Reflections on IAPP’s Privacy.Security.Risk. Conference 2019

By Rafael Moscatel, Certified Information Privacy Manager (CIPM)

HEY BOSS, LOOKS LIKE PRIVACY IS KIND OF A BIG DEAL NOW

IAPP’s Privacy.Security.Risk. Conference 2019 took place in Las Vegas over four days at the end of September and was attended by more than 2000 attendees hailing from all over the United States as well as a number of countries. The Fortune 500 was well represented but I also met a number of other astute organizations and took a tour of the industry’s big vendors on the showroom floor. Although I live tweeted the event I’d been waiting to share my complete thoughts until after I passed my CIPM exam, which I did just a couple days ago. More on that later…

THE FIELD OF INFORMATION MANAGEMENT CONFERENCES GROWS MORE CROWDED

First, as a Certified Records Manager (CRM) and Information Governance Professional (IGP), I’ve been to and spoke at my share of conferences touching on best practices for information management, privacy, security and content. What made this one different? Well, besides how well the conference was organized and the venue, The Cosmopolitan, almost all of the workshops were just first rate, chalk full of real take home targeted content and timely. The vast majority of the presenters were seasoned and even the first-timers made the grade. Here we are on the heels of one of the biggest new privacy laws, the California Consumer Privacy Act, and these sessions were speaking directly to its attendees on how to take specific action and plan for additional state directives. The education aspect and sales piece blended well, with technology complementing best practices and not the other way around. And the conference also left me with a lot of questions…

DO WE HAVE THE RIGHT TO BE FORGOTTEN?

I didn’t attend the training sessions on the first two days but made it to the opening keynote by Former Chairman of the FCC, Tom Wheeler who gave the audience a 30,000 foot view and shared thoughts from his new book, From Gutenberg to Google. A great way to set the tone for the conference and then it was followed up by Janelle Shane who focused on rudimentary examples of AI but didn’t really connect her topic that well to Privacy. Nonetheless, it was an interesting takeaway. However, my favorite keynote came in the form of a play by Sharyn Rothstein and directed by Seema Sueko entitled The Right To Be Forgotten. The play examined a concept that we find in Europe but which still hasn’t taken hold in the States. It follows the impact of a young man’s juvenile mistakes and how they follow him around as he gets older, impacting his reputation and his life.

IS THERE A PLACE FOR DIGITAL ETHICS?

I know a number of people who have been personally affected by the internet, both by their own doing and also unfairly, and so this was a terrific way of introducing these challenges to the audience. The problem was that the rest of the conference didn’t really touch on this topic because it was more focused on CCPA and the corporate aspects of privacy program implementation. That’s fine but it left me wondering if in the United States we’re really where we need to be on the privacy front. We seem to only be focused on the issue from a data protection standpoint rather than an ethical one, whereas GDPR and other parts of the world take a more holistic view. Yes, we have HIPAA and the Children’s Online Privacy Protection Act (COPPA) but it feels like many of our laws are still really about breaches and liability and not about the value of privacy.

The conundrum seems to be that while we’re moving, as industries, toward a business culture of privacy, our culture as a whole is moving in the opposite direction, away from arms length communication and behavior and towards oversharing and a lack of discrepancy. How do these two worlds exist? We know that hackers are now using personal information voluntarily shared with the world to design more sophisticated phishing attacks and deep fakes. We know that thieves use location and vacation information shared through social media to know when you’re home and plan robberies. And despite all of these controls supposedly put in place around the world, we continue to give more of our personal information away which ends up being held as ransome against our companies. Yes, we know we have to share this information to enjoy convenience and in many cases now, to simply survive and get daily errands completed, but it still feels like digital sisyphus. In the age of the personal brand, are there even any private people around anymore? What good is all of this data protection if society as a whole has given up on the ethics of privacy? Besides the play at the conference and some of the discussions around children’s privacy, I didn’t see much of a discussion here, but perhaps it wasn’t the venue. I recently had a discussion with noted Data Privacy Professor Anita Allen, who wrote the first casebook on privacy law, on these ethical aspects of privacy that will soon be available in my book, Tomorrow’s Jobs Today.

THE RISE OF THE MACHINES

So, full disclosure, I work with a few vendors in the privacy space but my thoughts on privacy vendors are not influenced by those relationships. I saw some amazing products at P.S.C.19.  The products seem to be maturing and there is a lot of venture funding going into developing large enterprise scale platforms that do an A to Z job in addressing GDPR and CCPA. There are a couple big players in the business and the industry should be grateful for their sponsorship of conferences like this and generally moving the ball forward in terms of conversations around privacy.

What I’m seeing is a lot of enterprise product that is designed specifically for large organizations and a lot of file analysis, enterprise architecture and other similar companies trying to adapt their solutions to solve the problem. The problem is that the problem is constantly evolving and despite a pretty clear prescription in the CCPA legislation, I just don’t think one size fits all. Especially if you’re looking at a capital investment to check a compliance box that might be covered in a more strategic manner. Let me explain…

I had the pleasure of sitting with a team of folks from a major multinational and a peer and I questioned them about their approach to CCPA. It was pretty impressive. They had half a dozen folks attending the conference from a number of their offices. They had hired an industry leader to implement their program. So lots of investment, lots of buy in and it was proportional because their size makes them a natural target for a regulator. One of the more amusing partners in the group casually replied to me after I asked if they were ready by saying, “Yeah, but I’m going to be really pissed if we did all this work and don’t even get one request!” That’s of course what a lot of organizations realized following the GDPR where the flood of data subject requests turned out to be a trickle. So, despite their aversion to risk and likely thorough, appropriate strategy, I still wonder it it’s right for everybody. What about the companies with a smaller footprint and much smaller budget? Does it make sense to have an omnibus-like enterprise product, with dozens of API’s and infrastructure demands take over a section of your IT department?

WHAT ABOUT STRATEGY?

Here’s the truth about privacy programs and tools. There’s no silver bullet. Dumping a ton of money into an existing IT or Records Management program or hiring a team of half a dozen twenty-six year old MBA’s from one of the big four to turn your enterprise upside down (yes I’ve seen that) is not even close to a smart information governance strategy. Unfortunately this is the first time many organizations have had to take a close look at their information and records management programs. In many cases, especially with regulated industries, information management has played a role in meeting regulatory and audit demands but it wasn’t necessarily center stage the way it is now. Many companies have a retention schedule or policy but were probably over-retaining a lot of their data and not taking action on some of the other aspects of it like data classification until the privacy movement came along.

Data Protection Impact Assessment with CAPP using LogicGate

Privacy-centric records management is basically the ideal Information Governance project or initiative. That’s because to accomplish privacy goals, companies need to not simply revise policies, they need to holistically understand how those policies work with other areas of their business like data security and records management. Fortunately, a lot of the groundwork has already been in place at many organizations, specifically in Finance and Health, in order to integrate a privacy-centric framework. If it has been performed you should also complement it with a DPIA or Privacy Impact Assessment.

That said, how do you get the most value of the technology you implement? I think you do that by having the types of conversations that allow the best minds in your organization to become stakeIholders in the ultimate solution. Before you buy product, you need to survey your landscape. It may be that you need a privacy program and privacy protections for your consumers, employees and vendors but your data subject requests are not so cumbersome that you require an overhaul of your inventory and integrations.

Can you use an Enterprise Architecture and data mapping tool in concert with a separate data subject request tools instead of automating everything? Maybe. Consider the investment and time that might go into continuously monitoring a complicated, heavily API dependent and seldom-used privacy tool. Might that effort be better put into maintaining an EA tool that not only supports the mapping requirements of data privacy legislation but also supports other areas of the IT business? Don’t we want our organizations to be agile and be able to swap-in and swap-out tools as needed? Do we really want to tie an entire business process to one solution? Haven’t we learned anything from our legacy mainframe days? Remember how hard it was, and is, to untangle ourselves from those.

Mapping Data for GDPR with CAPP in Ardoq

I’m not saying that an enterprise-wide product isn’t right for large organizations with a lot of risk and endpoint exposure. I just believe that companies need to consider the process as a whole and take their time building these programs. Although California may serve as the baseline, we still don’t know what the rest of the States will do or what the future brings.

BEING A NEWLY MINTED CIPM

I can’t comment on the substance of the exam as I’m prohibited to by the agreement I signed. What I can say is that like most designations the value I find is not necessarily in the certification as much as the legwork and study necessary to achieve it. The reward is in the knowledge you acquire along the way, not just the medal you get at the finish line. If you check out the publicly available study materials and Body of Knowledge (BOK) available on the IAPP site you’ll see that it looks very much like the protocol of other information management organizations.

My belief though is that this BOK is evolved precisely because it’s privacy-centric. It covers many areas familiar to IG and Data Privacy disciplines but it is much more a holistic model and prescription than I’ve ever seen. It’s one of the reasons I’m so impressed with the IAPP.

THE RACE JOURNEY BEGINS

I came back from meeting with data privacy officials and business people in Brussels in 2018 knowing that Privacy was going to change the world. It’s one of the reasons I decided to engage more fully in it professionally. I’ll be spending more time talking about my journey towards privacy and speaking about the CCPA and related issues over the coming months and in my new book which should be available early next year. The concept of privacy is not just important for data protection and to check a compliance box, it’s important because it affects the lives of our colleagues, our friends, our children, our parents and pretty much everything around us. We need to not only protect our data but we need to value it and teach others to value theirs and that’s what I’m dedicated to.

I’m available for consulting opportunities and interviews and would love to discuss your corporate challenges. Feel free to contact me at rafael@capp-llc.com to schedule a free two-hour workshop or just give me a buzz at 323-413-7432.

New Podcast: #GRC and Me – The Blessing of #CCPA

EPISODE SUMMARY:

Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and consulting ultimately led him to the world of GRC. He shares how one tweet led to a watershed moment in compliance and privacy, and tells his deeply personal connection to California adoption records. Rafael also explains how CCPA should be viewed as a blessing that helps better understand what’s “under the hood” of your company.

EPISODE NOTES:

Top 3 Quotes

  • “The more that you can show your customers that you’re being a good steward with their data, the more they’re likely to trust you. And from a reputational standpoint and a branding standpoint, that’s always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.”
  • “And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what’s under the hood in your company.”
  • “…you know there’s not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.”

Show Highlights

[01:28] Rafael’s background in law and consulting
[02:35] Discussing Rafel’s company and beginnings
[04:36] The “Olympics of Privacy”
[05:59] A watershed moment in Compliance and Privacy
[08:05] Rafael’s personal connection to records in California
[09:05] The incredible moment Rafael received his birth records
[12:00] The “blessing” of CCPA
[14:11] Rafael’s personal opinion of CCPA
[16:19] Best practices for privacy and policy management
[19:30] Policy management systems
[21:04] How to read more about Rafael’s thoughts on these issues
[22:58] The Little Girl With The Big Voice
[24:03] Vendor Risk Management
[25:00] Being mindful of what’s outside your company walls as well as what’s within them

Resources:

Join us in San Diego for ILTA: Preparing for the California Consumer Privacy Act

Event Description

When:  Oct 30, 2019 from 12:00 PM to 1:30 PM (PT)

Where: Klinedinst, 501 West Broadway, Suite 600 San Diego, CA 92101

REGISTER HERE

We share and store our most sensitive personally identifiable information (PII) on countless computers, networks, and devices. Within an organization, PII can be found scattered in emails, databases, shared drives and more. The new California Consumer Privacy Act (CCPA) is making a strong privacy program an essential part of an organization’s records and information governance program. Join our presentation as we discuss:

  • How are you leveraging the focus on privacy and complying with this new law?
  • Is Record and Information Governance at the table for the conversation?
  • Will you and your organization be ready when the Act goes into effect on January 1?

Speakers

Faron Lyons – Enterprise Account Manager, Blackberry

Rafael Moscatel – Managing Director, Compliance and Privacy Partners

Williams Data Management to Host Data Protection Lunch with Compliance and Privacy Partners at Century City Chamber of Commerce

Media Contact: Ally Bertik ally@marketingmaven.com (310) 405-0358  

Williams Data Management to Host Data Protection Lunch at Century City Chamber of Commerce

Leader in Data Protection Partners with Cyber Hygienist and Technology Expert to Discuss How Fiduciaries Can Prepare and Protect Their Businesses for Data Breaches

­­­­­­­­­­­­­­­­­­­­­­ _____________________________________________________________________________

LOS ANGELES.  – (September 18, 2019)  Williams Data Management, southern California’s leader in data protection, has partnered with Rafael Moscatel, managing director of Compliance and Privacy Partners, and George Baldonado, president and CEO of Oasis Technology, Inc. to host a “Data Protection, A Primer For Your Fiduciary: It’s Your Business, Protect It!” lunch​ in conjunction with the Century City Chamber of Commerce. The panel will take place from 11:30 a.m. to 1 p.m. on October 3, 2019 at Greenberg Glusker, 1900 Avenue of the Stars, Suite 1400 in Century City, California.

Data Protection Pro, Douglas C. Williams, president and CEO of Williams Data Management will discuss how small businesses can take advantage of a data breach reporting service powered by CSR Privacy Solutions, Inc. to enable companies to protect Personally Identifiable Information (PII). Other topics will include the California Consumer Privacy Act (CCPA), cyber security protection and data governance.

“We are thrilled to lead the conversation for fiduciaries on how to better protect their businesses,” said Williams. “Our goal is to keep your information safe, secure and available regardless of what it is or where it is stored. We hope to provide a clear solution for companies in all industries moving forward, especially with our new data protection suite that provides a pathway for self-assessment and structural gap analysis for internal management.”

Guests will have the opportunity to network with business professionals, engage in this informative panel with expert sources and enjoy lunch provided by Williams Data Management.

To learn more or register for the data protection lunch, please visit https://business.centurycitycc.com/events/details/data-protection-a-primer-for-your-fiduciary-it-s-your-business-protect-it-1704.  

About Williams Data Management

Williams Data Management is southern California’s leading source for data protection management. The company educates, consults, has the source materials, and provides the structure for self-assessment and corporate plan structure for information breach notifications in the United States. Over the last decade, the firm has become an expert solution provider, offering professional records management, data protection, imaging and digitization, cloud storage and certified data destruction services to all sectors and sizes of businesses.

Williams holds numerous certifications for data compliance and destruction including SSAE16, NAID “AAA” Certification, and is a member of PRISM. For more information, visit www.williamsdatamanagement.com or call 888-478-FILE.

About Century City Chamber of Commerce

The Century City Chamber of Commerce is one of Los Angeles’ most active, involved and relationship-driven chambers. The chamber places a special emphasis on its members working together to build effective relationships and relevant programs that help individuals and companies expand their marketplace reach. Under the clear and powerful guidance of many energetic committees and councils, the Century City Chamber has grown to encompass representatives from virtually every industry, helping to make Century City one of Los Angeles’ most prestigious business communities. From the largest corporations to mid-sized businesses and emerging entrepreneurs, its diverse members thrive with one another and with key decision makers.

#           #           #