CCPA – The Definitive, Easily Searchable Text

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.

We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:

California Consumer Privacy Act

CCPA 2018 Introduction

Section 1

Section 1 This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.

Section 2

Article A In 1972, California voters amended the California Constuition…
Article B Since California voters approved the right of privacy, the…
Article C At the same time, California is one of the world’s leaders in…
Article D As the role of technology and data in the every daily…
Article E Many businesses collect personal information from…
Article F The unauthorized disclosure of personal information and…
Article G In March 2018, it came to light that tens of millions of people…
Article H People desire privacy and more control over their information.
Article I Therefore, it is the intent of the Legislature to further…
Article I (1) The right of Californians to know what personal information is being collected about them.
Article I (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
Article I (3) The right of Californians to say no to the sale of personal information.
Article I (4) The right of Californians to access their personal information.
Article I (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Section 3 – Title 1.81.5 CCPA 2017 added toPart 4 of Division 3 of the Civil Code

Law Section 1798.100 Right to Know What Personal Information is Being Collected.
Law Section 1798.105 Compliance with Right to Say No and Notice Requirements.
Law Section 1798.110 Articles (A), (B), (C), (D).
Law Section 1798.115 Articles (A), (B), (C), (D).
Law Section 1798.120 Articles (A), (B), (C), (D).
Law Section 1798.125 Articles (A), (B).
Law Section 1798.130 Articles (A), (B), (C).
Law Section 1798.135 Articles (A), (B), (C).
Law Section 1798.140 Articles (A), (B), (C), (D), (E)…(Y).
Law Section 1798.145 Articles (A), (B), (C), (D), (E)…(J).
Law Section 1798.150 Articles (A), (B), (C).
Law Section 1798.155 Articles (A), (B), (C), (D).
Law Section 1798.160 Articles (A), (B).
Law Section 1798.175 This title is intended to further the constitutional right…
Law Section 1798.180 This title is a matter of statewide concern and supersedes…
Law Section 1798.185 Articles (A), (B).
Law Section 1798.190 If a series of steps or transactions were component parts…
Law Section 1798.192 Any provision of a contract or agreement of any kind that purports…
Law Section 1798.194 This title shall be liberally construed to effectuate its purposes..
Law Section 1798.196 This title is intended to supplement federal and state law, if permissible…
Law Section 1798.198 Articles (A), (B).

Section 4

Article (A) The provisions of this bill are severable. If any provision of this bill or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

A Headlining Week for Privacy, SARs and Err, Trees

Privacy Has Been Hitting the Headlines

What We’ve Been Reading And Writing This Month

Personal Information and Subject Access Requests
Plus – Saving Trees for Privacy?
IDC Insight - Exonar Probes Depths Where No GDPR Solution Has...
When GDPR goes live, people will be able to submit subject access requests to current and former employers
Apple actively promoting Privacy as a selling point but...
Apple actively promoting Privacy as a selling point but…
At Apple, we build privacy into every product we make, so you can enjoy great experiences that keep your personal information safe and secure.
How the GDPR will disrupt Google and Facebook
…seen in an Apple store in Chicago – Exactly what GDPR should stop
Normally one of the bastions of privacy data, below is a sign that was spotted in an Apple retail outlet in Chicago recently. In essence, it assumes full consent is given for Apple and it’s…
Subject access requests: revised guidance from the ICO -...
At 9.24pm (and one second) on the night of Wednesday 18 December 2013, from the second arrondissement of Paris, I wrote “Hello!” to my first ever Tinder match. Since that day I’ve fired up…
Get our free GDPR report
You have the right to get a copy of the information that is held about you. This is known as a subject access request.
Plantatreeforprivacy: the impact of GDPR when privacy regulations change
Download our report: the impact of GDPR when privacy regulations change
In May next year, the UK’s Data Protection Act will be superseded by the GDPR. The GDPR is designed to give citizens more control of the information organisations hold on them and how that…
We Are Hiring - Marketing Executive - Exonar
SARs can be over 800 Pages long.Where do we start?
I did my own SAR on my own bank. This is it (actually, it’s less than half of the information they hold on me but they filtered the request). Arrived via DHL in 2 huge boxes…
Heineken Pet
The Somewhat Related Section – Planting trees for privacy. Really?
Yes, odd, we know but this 90 second video explains all – we felt bad after the SAR experiment on the left, not just for trees but for the employees that have to generate SARs…

Seen in Apple in Chicago – Exactly What GDPR Should Stop

Normally one of the bastions of privacy data, below is a sign that was spotted in an Apple retail outlet in Chicago recently. In essence, it assumes full consent is given for Apple and it’s Partners to use privacy data by merely entering the store.

GDPR Article 7 might have something to say about this!

Stop data dripping away from your control – TechTalk Show podcast

Exonar COO, Julie Evans, discusses how to stop data management getting away from you.

Download the TechTalk Show podcast here.

The future of privacy compliance

On Tuesday 19 September, Simmons & Simmons are hosting a panel discussion devoted to technology solutions and addressing privacy challenges. The competing challenges and interests of greater regulatory requirements, heightened consumer concerns and greater commercial value of data, make finding new solutions and ways of dealing with data ever more important.

Alex Brown (Partner, ICT) will host and moderate the session and, amongst a technologically distinguished panel, will be Adrian Barrett (Founder and CEO) of Exonar. Canapés and drinks will follow.

Register for your place here.

UK GDPR Preparedness Survey

Exonar’s UK GDPR Preparedness Survey – Key Trends and Challenges

With less than a year until the implementation of the General Data Protection Regulation (GDPR) in May 2018, Exonar surveyed the data protection and wider IT community to gain an understanding of how prepared UK businesses are for the new regulation and what challenges are standing in their way.

Exonar’s goal was to understand the challenges that businesses are facing in the journey to become GDPR compliant. The research has highlighted numerous challenges to becoming compliant. GDPR is the best excuse a company has to identify opportunities to improve the data protection processes that they may already have in place. Approached in the right way it can even provide a competitive edge through forming a better understanding of a customer to tune products and services.

See the full survey results here.


Manageable Data in Moments

Over the past six months your LinkedIn feed will have told you that GDPR is coming and that you and your compliance, audit and IT teams have a myriad of actions to meet the forthcoming Regulation.  But where’s the upside?

Rather than focus on fear, uncertainty and doubt, we like to emphasise advantages.  At the heart of successful GDPR compliance is data management, and data management brings with it some tangible opportunities for your business – from getting your data in peak condition to delivering an even greater customer experience.

Data Portability

Under GDPR, individuals have the right to Data Portability.  This means that you must provide individuals with the ability to obtain and reuse the data you hold on them across different services (for example, allowing individuals to securely port data to cost comparison sites).

Using Big Data and Machine Learning data management capabilities, you’ll be able to discover and segment your data assets easily, setting your business up to provide individuals with the ability to leverage the data you hold for their personal benefit – and providing you with extra customer loyalty points in the process.

The Right to be Forgotten

If an individual really wants nothing to do with your organisation any more, then under GDPR they have the right to be forgotten.  So, if an individual asks you to ‘forget’ them, you are obliged to delete any personal data relating to them where there is no legal reason for its continued processing.  This can extend to the sharing of this data with third parties.

Putting in place a process that will enable you to rapidly pinpoint the relevant data and remove it means that rather than dreading requests, they become the trigger for a swift operation that can be carried out with confidence.

With an automated approach, this activity removes the traditionally tedious manual exercise and becomes low-impact to the business delivering a straightforward process to the individual.  It also provides you with the added benefit of removing data that is no longer useful.

Data Security

Data breaches create havoc for individuals and organisations and generate headlines that can lead to enormous reputational damage.  A key benefit to undertaking a thorough data discovery and management exercise in preparation for GDPR is the additional security this will bring to your organisation:

  1. Data discovery will help you to find unstructured (or ‘hidden’) data. It is not unusual to find up to 10GB of unstructured data per employee.  Removing this creates TB of space in your infrastructure and allows you to actively address security risks.
  2. Intelligent classification will enable you to make sure all sensitive or confidential data is appropriately segmented and subject to correct security procedures.
  3. Data management processes powered by Machine Learning and Big Data principles will allow you to automate tasks that could historically be open to human error.

By taking a proactive approach to security, you’ll be able to find and address weaknesses early giving you a story that will increase customer confidence.

Freedom of Information / Subject Access Requests

Whether a public authority with an obligation to respond to Freedom of Information requests, or a private sector company with obligations under GDPR, the ability to rapidly and consistently handle requests for information from individuals is crucial for compliance.

Addressing this with manual methods is time consuming and costly.  By implementing data discovery, intelligent classification and data management protocols using software, this task becomes near-automated and does not disrupt day-to-day business.

Data Inventory

One of the ways in which many organisations are benefitting from an early approach to GDPR compliance via data management is their ability to create a detailed data inventory.  We liken it to the rigour that organisations apply to managing their finances.  By establishing a baseline of your data assets, classifying them appropriately, discarding duplicated data, then setting processes in place for ongoing management, you have a data set that is accurate on a near real-time basis.  This delivers a raft of data-centric business benefits:

  • Insight into a single view of the customer
  • Insights into customer / supplier behaviour
  • Accurate reporting
  • Insights into opportunities to streamline / automate processes

This is just a summary of how we believe taking a proactive data-centric approach to GDPR could benefit your business.  To find out how you could achieve manageable data in moments, either download our whitepaper here:  or drop us a line at

Holistic Data for EU GDPR, Dude

Holistic Data for GDPR, Dude

What We’ve been Reading and Writing This Month

GDPR – Myths, Priorities, Toolkits
Plus – Record Breaking Fundraising for Childline
Busting the 5 Big GDPR Myths
Busting the 5 Big GDPR Myths
When a piece of legislation like the GDPR comes along, it makes for a huge amount of noise which can create a lot of confusion. Not everyone has the time or inclination to read the official…
Focus on Five High-Priority Changes to Tackle the EU GDPR
Focus on Five High-Priority Changes to Tackle the EU GDPR
The European General Data Protection Regulation will have a global impact as of 2018. Among the many changes, IT leaders should prioritise efforts where they are most affected. These five high-priority changes help you get up to speed with GDPR requirements.
It's holistic, dude: How to dodge the EU's £17m data...
Sysadmin blog Holistic IT is hard. There are those among us who want to purchase hardware, software, services or so-called turnkey “solutions” – as vendors call them – bearing logos and…
Why Consulting is No Longer Just a Clipboard Exercise
Why Consulting is No Longer Just a Clipboard Exercise
When you engage a consultant to help you with a business issue – what is it that you expect from them? For us, we’d be looking for expertise; strategic insights; challenging thinking….
DPO Toolkit
First, determine whether your organization is required to appoint a DPO under the GDPR. Does the GDPR say you need a DPO? Find out what a DPO looks like, what skills and expertise they…
GDPR – Why It’s About More Than Regulation. Download the White Paper
GDPR – Why It’s About More Than Regulation. Download the White Paper
GDPR is a significant challenge. Concentrating on the Data first can make everything else easier…
Exonar Fundraises with White Hats
Exonar Fundraises with White Hats
A record-breaking £198,000 was raised for Childline at the annual WhiteHat Ball which took place at London’s Lancaster Hotel on Friday 27 January. As more young people are turning to…
Trial Exonar to Understand Your GDPR Data
Trial Exonar to Understand Your GDPR Data
Whether it’s information security, governance, risk or compliance, the Exonar platform can help organisations deal with the growing volumes of unstructured data….

The EU GDPR: How to Know What You Don’t Know

Here’s a little challenge for you: can you list how many departments there are within your business?  How about the number of teams that sit within each department?  If that seems too easy, then how about listing the number of databases held by each team?  And if you really want a stretch, how about taking a guess at the number of data points your business holds on individuals.

It’s likely that everybody would know (or, in the case of a large corporate, could find out) the answers to the first two.  The second two can be almost impossible to manually discover.

Some would argue that it’s easy to find the number of databases within a business but what we have discovered during the course of our work is that many organisations have terabytes of unknown data – something we reflect on in our whitepaper “GDPR – Why It’s About More Than Legislation”.

For this blog post, we’re going to focus on just one element – that of unknown data.

The Data That You Know About

Let’s say an organisation has a team for each of the following functions: HR, Finance, Marketing, Sales, Operations and Customer Service.  Each of these teams is likely to have its own master data source.  It could be as straightforward as an SAP ERP system, each of the teams having a discrete Line of Business app or database, plus the company having an overall infrastructure to provide email and collaboration software.  Every interaction leaves a digital marker, and so every piece of data and its movement can be tracked.

If your organisation only has data that it knows about, then if you are asked by an individual to disclose or delete the information you hold on them as part of the GDPR then you should be fine.  Except that you’ve probably got the following:

Data That You Don’t Know About

What the above example doesn’t include are data repositories that many organisations have, but either don’t think about or don’t know that they exist.  These include, but are not limited to:

  • Decommissioned servers that are still holding data
  • Duplicated databases from campaign activity / mergers / roll-outs of new software
  • Data that has been wilfully misused
  • Data shared with a third party as part of a service-delivery contract
  • Emailed data that has been shared innocently or to avoid corporate process
  • Development servers that are not considered as part of the company’s live data estate


















All of the above instances introduce risk and cost to an organisation.  Risk in that confidential information could be leaked, lost, or accessed by unauthorised persons.  Costs come in the form of data breaches that result in legislation, plus remediation costs to fix the weakness in the network / governance process.

Pinning Down Unknown Data

Whilst you may have unknown data, it won’t take teams of consultants or outrageous cost to locate it within your organisation, and neutralise the risk it poses.  At Exonar, we’ve developed a platform that uses Big Data and Machine Learning to track down, identify and classify data – wherever it might be hiding.  We have helped clients to find and retrieve data containing passwords, personally identifying data points and company sensitive information.  We’ve also helped them to find terabytes of duplicated information.  As part of this process, they’ve reduced cost and avoided risk but what is perhaps more important to them organisationally is that they have flushed out what was previously ‘unknown’.

Better Business as Usual

Organisations that have a firm handle on all of their data assets not only have a more stable platform for managing the customer experience, they also have greater knowledge of their overall business.  At a time when businesses are awash with data, the ability to identify it and make it meaningful has far greater impact beyond GDPR compliance, but it’s a good place to start.

Exonar are experts in helping businesses to uncover unknown data, reducing risk and cost.  To find out how we can help you, get in touch.

4 Questions, All The Answers. What You Need to Know About GDPR

GDPR seems to be on everyone’s lips at the moment. While the regulation doesn’t come into force until 2018, preparation has already begun for many organisations. For some, however, GDPR still raises a number of questions and queries.

We asked the former Head of Fraud, Risk and Security for Vodafone UK and now Exonar’s Chief Operating Officer, Julie Evans, what GDPR means for Exonar, what we will be doing about it and what the potential implications for other UK businesses are.

What does GDPR Mean to Us and Our Clients?

GDPR significantly increases the level of proactive management of Personally Identifiable Information (PII). It increases the requirements on any organisation that deals with the personal information of EU citizen customers or employees. The fact is that no-one is clear on what the post-Brexit world of GDPR will look like in the UK but it will still impact most UK organisations.

The UK exit from the EU will not be complete before GDPR is implemented. There will be a significant period of overlap following the triggering of article 50 and, even after Brexit, there is a strong possibility that similar regulations will be sought by the ICO and demanded by international companies who will look for ‘adequacy’ in UK law to ensure that the UK can compete and operate seamlessly across Europe and the world. Further, GDPR requires adequate privacy protection in states outside the EU, if EU companies are to store their data there. In all, it seems nearly inconceivable that privacy of personal information will not be a significant factor in the coming years.

As well as increasing privacy requirements, GDPR introduces significant penalties for non-compliance and also broadens the scope of what is considered PII. Although somewhat lacking in absolute clarity, the Regulations define PII as being information that enables the identification of a person.

What does GDPR mean for Exonar?

As a relatively new company Exonar is not burdened by legacy of old IT infrastructure although we must ensure the way we hold data is compliant with GDPR. For us, this is primarily employee and shareholder data. In common with most organisations the first task is to find and create a register of the data. Even a relatively small organisation like Exonar uses multiple different platforms to store information; documents, spreadsheets, PDFs and presentations, located across file shares, email and in cloud drives. It’s not an insignificant issue, however, we do at least have our own Exonar software at our fingertips to enable us to map where this information is being stored.

As well as identifying where all of our PII is, we’ll also need to designate the role of Data Protection Officer (DPO), an individual within our organisation directly tasked with identifying and protecting individual’s information within our organisation, it does not need to be a full time role but there must be clarity of accountability and we are re-apportioning our job roles to accommodate this requirement.

How can We and Other Organisations get Ready for GDPR?

Understanding the key changes proposed by GDPR is the first step in understanding how to be compliant with the regulations. The table below (courtesy of consulting firm EY) highlights the key areas that need addressing:

Depending on the level of organisational maturity, the new regulations could therefore demand changes to resourcing, training, process definition, applications as well as how the data is handled. The requirements could be significant.

How Is Exonar Going About GDPR Compliance?

I am confident that the leadership team of any organisation would tell you that they would love to have the insight to their customer journey from a customer perspective. GDPR for us is a fantastic opportunity to use our own product and to experience the output. We have set up the ‘discover’ phase of the Exonar journey to crawl all of our data stores. Given that we only hold a couple of terabytes of data we achieved this in our first afternoon.

Our next phase is to ‘understand’ what we ‘discovered’, determining what PII was where, who put it there and why. We’re able to do this through the use of our software’s querying function, it’s “Find More Like This” capability for identifying all data relevant to a topic and the results graphs and charts that show me what information we have, in what format it’s in and in which application of filestore it’s been put.

Now I know what I’ve got I can act upon it so our next phase in GDPR readiness is to review our policy and process as well as our use of applications and communicate our recommendations clearly to the whole team. It does take time so it’s perhaps a good thing that we are not leaving compliance with GDPR until the last minute…