Posts

CCPA Solutions

Generation privacy has begun

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organisations holding data on US Citizens.

Exonar simplifies compliance with the California Consumer Privacy Act (CCPA) by getting right to the heart of the matter: Finding, Mapping and Managing your data.

How Exonar can help with CCPA

Data Mapping and Inventory

Data Subject Access Requests

Data Portability

Enforcing Compliance

Right To Be Forgotten

Meet the Personal Data Privacy dashboard

Exonar’s Privacy dashboard provides a top-down view of your organisation’s information in relation to the EU GDPR and California Consumer Privacy Act (CCPA).

It shows a comprehensive picture of all the data held which is relevant to these laws, where it is held and its characteristics.

This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well-informed decisions, rapidly.

Where Do I Start

Preparing for CCPA will share many characteristics with those undertaken for GDPR:

Assemble the team: Include Executive Sponsors and stakeholders from Legal, Compliance or your data privacy team, people with oversight of you corporation’s technology and it’s security and representatives from the key personal data owners in your business (e.g. HR, Sales, Marketing, Customer Service).

Get started with a data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical, start with those that are easy to create an inventory form.

Don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (your head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets). You will need technology to do this effectively (and we can help!)

Establish a culture of security and privacy and ingrain this into your day-to-day operations. Communicate a simplified overview of CCPA to the key stakeholders.

Create and practise your business processes that will be required to satisfy the rights of the individual (Access to data, erasure, breach notification).

CCPA versus GDPR

There are many similarities and some key differences between GDPR and CCPA. Here is Exonar’s take:

Basis for consent

GDPR – Opt in

CCPA – Opt out

Who it applies to

GDPR – Any organisation holding personal data on EU citizens

CCPA – For-profit entities that process personal data of California residents and either:

Do $24 million in annual revenue

Hold the personal data of 50,000 people, households, or devices

Do at least half of their revenue in the sale of personal data.

Rights for individuals

GDPR – Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.

CCPA – Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.

When does it come into force

GDPR – May 25, 2018

CCPA – Jan 1, 2020

Financial Penalties

GDPR – 4% of turnover or €20m (whichever is greater)

CCPA – $7,500 per violation. $750 or actual damages for each individual, whichever is greater

Time allowed to respond to a request

1 month

45 days

NB, California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

The CCPA – The Definitive, Easily Searchable Text

Follow the link below to read the full California Consumer Privacy Act text, with each section clearly marked and searchable.

The legislature passing of the California Consumer Privacy Act 2018 (AB 375) happened on June 29th 2018, and these new rules will now govern most organisations holding data on US Citizens.

Read More

Trump, Brexit, Cambridge Analytica – Global Data Privacy Regulations

Privacy legislation advanced leaps and bounds in 2018 with Europe (GDPR), California (CCPA) and India (PDPB) pioneering the way for privacy protection for their citizens.

For many organisations, 2018 was the year that ‘data privacy’ became the two most cumbersome words in the professional lexicon.To comply with new legislation, organisations assessed their data practices and ability to protect citizens’ privacy rights in accordance with new legislations. With GDPR fines of up to €20m or 4% global turnover, 2018 was the year that businesses started taking data privacy seriously.

2018 Key Privacy Events

Europe and the GDPR – May 2018

Europe implemented the GDPR in May 2018 providing European residents the right to access and erase their personal information upon request, whilst mandating organisations to report security breaches to affected citizens.

In the UK, reporting of data breaches to the Information Commissioner’s Office (ICO) increased by 260% in the three months after May 2018 compared to the same three months in 2017; a remarkable cultural change in identifying and reporting data breaches.

The ICO also levied its first successful fine against AIQ, the Canadian data firm linked to Cambridge Analytica, before levying another fine against Cambridge Analytica itself for failing to comply with a data subject access request (SAR) from Professor David Carroll.

Key Privacy Trigger:

Cambridge Analytica, Brexit and Trump – 87 million US and UK citizens were psychologically profiled and micro targeted with political messaging and misinformation to influence the Brexit and Trump vote. There are 11 ongoing criminal enquiries into breaches of electoral law in the UK and illegal data practices are the cornerstone of those investigations. These investigations will escalate and conclude in 2019 heightening citizens’ understanding of how their privacy rights were abused.

USA and the California Consumer Privacy Act (CCPA) – July 2018

California announced the incoming CCPA which will come into effect on January 1st 2020. The CCPA provides similar rights to access and erasure as the GDPR, and also requires organisations to disclose which third parties they buy and sell personal data from upon request.

The CCPA has led to New York following suit with data privacy regulation of its own, and there are talks of federal privacy law being developed in 2019 as the complexity of state-by-state data privacy laws seem too impractical to overcome. This point was made clear after the two largest American data breaches of 2018 affected Americans across all 50 states.

  • Exactis – 340 million records breached
  • Marriott Hotels – 323 million records breached

Key Privacy Trigger: California Consumer Privacy Act and the right for Americans to sue

The CCPA provides California residents with a private right of action, allowing individuals to pursue their own lawsuits against organisations (rather than waiting for regulatory enforcement action). Individuals can enact this right when a breach occurs due to a demonstrable lack of appropriate security controls.

In the USA, a litigious society, we can expect the individual right to sue to drive interest in data privacy rights at a quicker rate than in the build up to the GDPR, which will in turn lead to federal calls for those same data privacy rights.

India and the Personal Data Protection Bill (PDPB) – September 2018

6 months after the Indian national identity system was breached exposing the data of 1.1 billion Indians, India announced their personal data protection bill. Openly modelled on the GDPR, the PDPB gives Indian citizens rights to access, erasure and the right to report breaches to a new Indian data protection authority (DPA) that will also have the power to influence rulemaking (unlike the ICO in the UK) and levy hefty fines.

The PDPB will also include sectoral consideration vis-a-vis the CCPA, and include provisions for national security concerns similar to the Chinese data protection regulations (CDPR).

Key Privacy Trigger – Aadhar Data Breach

In March 2018 a breach of India’s national identity database left personal and biometric information of 1.1 billion Indians exposed. The data was of sufficient detail to open bank accounts, enrol in state financial programmes and register SIM cards, sparking a nationwide debate on data privacy, national security and a 6 month turnaround to announcing the PDPB.

What to Look For in 2019

  1. Public outrage at AI’s abilities to psychologically profile and microtarget citizens in real time

The investigations into AIQ/SCL/Cambridge Analytica’s role in both Brexit and Trump campaigns will escalate through 2019. As indictments are served in relation to data crimes, the public will develop an understanding of how AI algorithms psychologically profile and microtarget them in real time.

The focus on authoritarian regimes’ use of these data practices to suppress opposition via social media platforms will come under specific scrutiny. This will lead to a strengthening of the political movements calling for AI transparency and major regulatory reform for big tech and microtargeting data practices.

  1. Big Tech vs Regulators battle it out over US federal privacy law

The fight over details of the CCPA are ongoing and we can expect the lobbyists of Google, Amazon, Facebook and Apple to continue actively resisting tighter regulation at each opportunity. We can expect pushbacks on citizens rights to access data, a sparking of a conversation surrounding consent for data usage, and an attempt by journalists to reveal the network of third party data analytics firms who would be the worst violators of new data privacy laws.

  1. The first £100m GDPR fine?

It is difficult to understand the privacy impact of a data breach, especially when the number of citizens affected runs into the hundreds of millions. These are numbers too large for individuals to comprehend but the privacy impacts will be accounted for by regulators in the form of mega fines in 2019.

The maximum fine for Facebook under the GDPR is an approximated $1.6bn and with investigators across the world scrutinising the data practices of multiple technology companies, 2019 could be the year of the first truly eye-watering fine.

CCPA – How Will New Privacy Law Impact Trade With America

 

CCPA – How Will New Privacy Law Impact Trade With America?

You wait years for data privacy regulations to catch up with current data processing requirements and then, like buses, two arrive at the same time.

Many UK organisations may well feel like they have been hit by a bus, given the dramatic impact that the General Data Protection Regulation (GDPR) has had since its implementation in May. Following closely behind is the California Consumer Privacy Act (CCPA) 2018 (AB 375), passed in June, which will come into force in 2020.

In a nutshell, it’s California’s answer to the GDPR. But don’t be fooled. It may look similar to the GDPR but there are nuances organisations need to understand to comply and stay on the right side of the regulations. Especially as it’s widely accepted that CCPA will set the bar for privacy rules across other US states.

California holds a key role, especially when it comes to trade with the UK. For example, the California Chamber of Commerce notes that the UK is California’s 10th largest export destination, with over $5 billion in exports.

 

CCPA versus GDPR

What do UK businesses need to be aware of? Well, the overlap between several of the CCPA rights and the GDPR include the right to information and the right of access. But the obvious difference is that that the CCPA rights only apply to persons that reside in California, whereas the GDPR applies to processing of EU citizen data by organisations regardless of whether they are located within the EU or not.

To view an easily searchable text version of the CCPA, click here.

 

Understanding the Differences

Firstly, let’s take a step back and understand the organisations that each regulation will apply to. GDPR is relatively straight forward; it applied to any organisation holding personal data on EU citizens.

CCPA on the other hand will apply to for-profit organisations that process personal data of Californian residents and either take $24 million in annual revenue, hold the personal data of 50,000 people, households, or devices or take at least half of their revenue in the sale of personal data.

Another of the key differences between GDPR and CCPA is that obtaining consent under California’s law differs from the methods required under the GDPR. In Europe, consumers must opt in and give consent for their data to be stored and used. With CCPA, consumers can opt out of the sale of their personal information.

 

What does CCPA mean for the rights of the individual?

One of the main aims of the GDPR is to give individuals better visibility and control over their data, and as such it offers better access to data, right to erasure, correction and objection to automated processing. It also includes the right to notification in the event of a data breach.

The CCPA aims to improve the right of access to data being held, and the right to know how personal data is being used and who data has been provided to. It enforces the right to disclosure and objection relating to who data is being sold to and guarantees no discrimination if an individual objects to their data being sold.

The financial penalties also differ between the GDPR and CCPA. Under GDPR, organisations can be fined 4% of global turnover or €20m, whichever is greater. The CCPA imposes penalties of $750 per consumer per incident or actual damages, whichever is greater. As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act.

For a breakdown of the similarities and differences between the GDPR and CCPA, click here.

 

Becoming and remaining CCPA compliant

Preparation for CCPA will share many characteristics with actions undertaken for GDPR compliance. Coordination is vital, including executive sponsors and stakeholders from legal, compliance and data privacy teams, people with oversight of technology and its security and representatives from the key personal data owners in an organisation (e.g. HR, sales, marketing, customer service).

The key is starting with data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical and don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (a head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets, for example).

The aim is to find all relevant data within your organisation. In fact, “identifying what data you hold” was listed as a key step by the UK’s ICO as well as other national authorities in the run up to GDPR. Given how rapidly data is collected, created and stored by organisations, it would be very difficult to find this out manually.

What is correct at the beginning of this year could be wildly different in 6 months’ time, and attempting to complete tasks manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is actually held (such as in a spreadsheet extracted from the CRM system to run a regular report).

But the task of creating a data inventory does not need to be arduous, there are tools available that use Big Data and Machine Learning principles as part of an eDiscovery and data mapping process, giving you the ability to rapidly find and categorise data and continue to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time.

 

Technology to simplify compliance

It’s clear that the tasks above are the first steps in what will be an on-going process. But these steps are crucial for any organisation that wants to get it right first time.

To simplify the compliance process, Exonar’s Privacy Dashboard can provide an easily digestible top-down view of the of all of the information a business holds in relation to the GDPR and the CCPA.

Exonar’s solution achieves this by indexing files in any format from sources like cloud, file shares and mail servers, and locating passwords, customer information, credit card numbers, salaries and company confidential records.

This means all of your data, from databases to documents, is mapped and classified and able to be searched instantly – even with advanced queries. This allows users to find any information held in seconds or create visualisations to help understand data. When you understand your data, it’s easy to make decisions about what data to keep or delete and what needs to be done in order to stay compliant with regulations relevant to your business.

To find out more about the CCPA and Exonar’s solutions, visit https://www.exonar.com/ccpa/

 

GDPR is here and now there’s the CCPA too! Exonar Latest News

GDPR, CCPA, POPI – TMI?
Living with new privacy laws

What We’ve Been Reading And Writing This Month   

GDPR is here and now there’s the CCPA too!
Plus – We’re Hiring & ‘Ain’t got no Privacy’ – 80’s privacy issues!

New Exonar research released July 4th 2018, shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year.
The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.
Rise appears to reflect more stringent reporting obligations under EU’s new data protection regime. More than 1,100 reports of data breaches involving people’s personal information have been received by the Data Protection Commission in the two months since a new EU legal regime came into force.
How the GDPR will disrupt Google and Facebook
New laws and high profile investigations have helped put data protection and privacy at the centre of the UK public’s consciousness like never before, the Information Commissioner has said.
Exonar simplifies compliance with the California Consumer Privacy Act by getting right to the heart of the matter: Finding, Mapping and Managing your data.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In …
Get our free GDPR report
The California Consumer Privacy Act of 2018 (aka CaCPA) creates unprecedented obligations for companies that do business in California (the world’s fifth largest economy) or collect the personal information of California’s 40 million residents.
We Are Hiring - Marketing Executive - Exonar
Are you our next Marketing Manager? An exciting startup software business, we’re looking for an ambitious marketer to take responsibility for creating and delivering our marketing strategy. A British software company, we have just raised significant funding to boost our growth strategy through 2018.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Music video by Rockwell performing Somebody’s Watching Me. (C) 2004 Motown Records, a Division of UMG Recordings, Inc.

We are committed to respecting your privacy and protecting your personal information. We try hard to make our communications with you interesting and relevant and always with a view to providing insight into our industry challenges and their solutions. If this Newsletter is not relevant you can unsubscribe using the link below. We promise not to spam you!

CCPA – The Definitive, Easily Searchable Text

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.

We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:

California Consumer Privacy Act

CCPA 2018 Introduction

Section 1

Section 1 This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.

Section 2

Article A In 1972, California voters amended the California Constuition…
Article B Since California voters approved the right of privacy, the…
Article C At the same time, California is one of the world’s leaders in…
Article D As the role of technology and data in the every daily…
Article E Many businesses collect personal information from…
Article F The unauthorized disclosure of personal information and…
Article G In March 2018, it came to light that tens of millions of people…
Article H People desire privacy and more control over their information.
Article I Therefore, it is the intent of the Legislature to further…
Article I (1) The right of Californians to know what personal information is being collected about them.
Article I (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
Article I (3) The right of Californians to say no to the sale of personal information.
Article I (4) The right of Californians to access their personal information.
Article I (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Section 3 – Title 1.81.5 CCPA 2017 added toPart 4 of Division 3 of the Civil Code

Law Section 1798.100 Right to Know What Personal Information is Being Collected.
Law Section 1798.105 Compliance with Right to Say No and Notice Requirements.
Law Section 1798.110 Articles (A), (B), (C), (D).
Law Section 1798.115 Articles (A), (B), (C), (D).
Law Section 1798.120 Articles (A), (B), (C), (D).
Law Section 1798.125 Articles (A), (B).
Law Section 1798.130 Articles (A), (B), (C).
Law Section 1798.135 Articles (A), (B), (C).
Law Section 1798.140 Articles (A), (B), (C), (D), (E)…(Y).
Law Section 1798.145 Articles (A), (B), (C), (D), (E)…(J).
Law Section 1798.150 Articles (A), (B), (C).
Law Section 1798.155 Articles (A), (B), (C), (D).
Law Section 1798.160 Articles (A), (B).
Law Section 1798.175 This title is intended to further the constitutional right…
Law Section 1798.180 This title is a matter of statewide concern and supersedes…
Law Section 1798.185 Articles (A), (B).
Law Section 1798.190 If a series of steps or transactions were component parts…
Law Section 1798.192 Any provision of a contract or agreement of any kind that purports…
Law Section 1798.194 This title shall be liberally construed to effectuate its purposes..
Law Section 1798.196 This title is intended to supplement federal and state law, if permissible…
Law Section 1798.198 Articles (A), (B).

Section 4

Article (A) The provisions of this bill are severable. If any provision of this bill or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.