To Catch A Thief: The Increasing Power Of Deception Technology In Cybersecurity

 Oct 26, 2019 9:00 AM
by Derek Lackey

Despite the rapid innovation and advancements in cybersecurity, chief information security officers (CISOs) and their teams must still contend with a fundamental strategic disadvantage of protecting data: the fact that cybercriminals always have the element of surprise. That is no small factor. As Sun Tzu counseled in The Art of War, one of the main keys to victory involves using surprise tactics. For security teams, this means they often find themselves in a daily struggle of defense, constantly looking for signs of breach and compromise across networks that grow vaster and more complex every day.

Recently, though, a powerful and effective — though certainly not foolproof — security strategy is allowing CISOs to take a more proactive approach. While cybersecurity will always be fundamentally about defending information, new best practices in what is known as deception technology let security teams play offense. As a result, the power of surprise can be wrestled out of criminals’ arsenals and used against them.

The Basis Of Deception Technology

The theory and principle behind deception technology is powerfully simple. Drawing from insights into the types of data criminals value and covet, deception technologies mine a network with decoys — booby traps disguised as data assets that alert an organization when they have been accessed. Deception technology lures criminals away from actual valuable data, while exposing their presence — often without their knowledge. This allows security professionals to closely monitor their patterns, activities and techniques, providing valuable intel to prevent future attacks.

Deception techniques are not only effective in protecting against outside attacks. They are also powerful tools for discovering internal threats. If someone starts poking around a network for information they are not authorized to access, deception technology is one of the most effective ways to catch them.

Despite its growing popularity, there are still some who feel squeamish about allowing criminals to remain inside a network long enough to monitor their activity. That’s understandable, but these types of misgivings ignore a fundamental reality of cybersecurity. Breaches are inevitable. Resources are more effectively allocated to minimizing the damage rather than investing in the false security of an impenetrable network. If you are connected, you are reachable.

What Deception Technology Does Right...

Read The Full Article

 

  

CCPA Explained: Part 10 - Article 6. Non-Discrimination

 Oct 15, 2019 3:00 PM
by Derek Lackey

§ 999.336. Discriminatory Practices

A a financial incentive or a price or service difference is dicriminatory therefore prohibited (Civil Code Section 1798.125) if the business treats a consumer who exercised their rights conferred by CCPA.

B When reasonably related to the value of the consumer's data, a business can offer incentives as per Section 999.337

C Examples:
(1) Example 1: A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.
(2) Example 2: A retail store offers discounted prices to consumers who sign up to be on their mailing list. If the consumer on the mailing list can continue to receive discounted prices even after they have made a request to know, request to delete, and/or request to opt-out, the differing price level is not discriminatory.

D Denying a consumer the right to know, delete or opt-out is not considered a discriminatory act.

E A business should be transparent in their pricing and show consumers any details regarding incentives or price/service differences.

F A business charging a reasonable fee (Civil Code 1798.145(g)(3)) is not considered a finaincial incentive.

 

§ 999.337. Calculating the Value of Consumer Data

A  The value of  the consumer’s data, as that term is used in Civil Code section 1798.125, is the value provided to the business by the consumer’s data and shall be referred to as “the value of the consumer’s data.”

B To set perameters on the value of data a business should document and make public, a reasonable good-faith based method for calculating that value, using one or more of the following:
(1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
(2) The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
(3) Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value;
(4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information;
(5) Expenses related to the sale, collection, or retention of consumers’ personal information;
(6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
(7) Profit generated by the business from sale, collection, or retention of consumers’ personal information; and
(8) Any other practical and reliable method of calculation used in good-faith.

 

Article 7. Severability


§ 999.341.


A If any Article, section or part of these regulations are found to be unconstitutional, against statute or exceeding the authority of the Attorney General, the rest of the regulations remain in force.

 

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 8 - Article 4. Verification of Requests

CCPA Explained: Part 9 - Article 5. Special Rules Regarding Minors 

 

 

  

CCPA Explained: Part 9 - Article 5. Special Rules Regarding Minors 

 Oct 15, 2019 1:00 PM
by Derek Lackey

§ 999.330. Minors Under 13 Years of Age

A The process for Opting-In to the Sale of Personal Information:
1 If a business knowingly collects or maintains data of children under the age of 13, it must establish, document and comply with a reasonable method for determining the individual signing for them is their parent. The authorization requires a positive action (checking a box, etc) in addition to the conditions required by the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq.
2 The methods of being reasonably certain that the person is the child's guardian:
a  provide a consent form that includes the penalty of perjury that must be signed and in possession of the business before proceeding.
b  require a parent or guardian, in connection to a monetary transaction, to provide a credit card or a secure online payment method.
c having the parent call a trained staff at a 1 800 number.
d  having the parent connect via video-conference to a trained staff member.
e  having a parent communicate in person with a trained staff member.
f   Verify the guardian using any government issued ID as long as it is deleted from the business records as soon as verfication is complete.

B Once a parent is confirmed, they should be informed of their right to opt-out at a later date and be clearly instructed how to do so.

 

§ 999.331. Minors 13 to 16 Years of Age

A   A business that knowingly collects or maintains personal information of minors aged 13 - 16 shall establish, document and comply with a reasonable process for allowing these minors to opt-in to the sale of their information pursuant to Section 999.317 of this Act.

B At the time of opt-in, a business must inform the minor of their right to opt-out at any later date and explain how to do so pursuant to Section 999.315.

 

§ 999.332. Notices to Minors Under 16 Years of Age

A Any business subject to Section 999.330 and 999.331 must include a description of the required processes in it's Privacy Policy.

B A business that targets Minors under the age of 16 and does NOT SELL data, is not required to inform them of their right to opt-out at a future date.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 8 - Article 4. Verification of Requests

 

  

CCPA Explained: Part 8 - Article 4. Verification of Requests

 Oct 15, 2019 10:00 AM
by Derek Lackey

§ 999.323. General Rules Regarding Verification

A  A business will develop, document and comply with a process to verify the identy of individuals who make a request to know or a request to delete.

B In doing so, the business will:
1 Match the identifying information to the personal information on hand, or use a third party verification services that can do that.
2 Avoid collecting the types of information identified in Civil Code Section 1798.81.5(d) unless required to identify the individual.
3 Consider the following:
a) Sensitive or valuable personal information requires a more stringent verification process. The information identified in the Civil Code Section 1798.81.5(d) should be treated as sensitive data.
b) Consider the risk of harm to the consumer. If it is likely, a more stringent verification process is required.
c) Consider if fraudulent or malicious actors would value this information. The higher the liklihood the more stringent the verification process should be.
d) the information you ask for to verify the consumer - is it robust enough to protect it against fradulent requests or being spoofed or fabricated?
e) the manner in which your business interacts with the consumer.
f) technologies avaiable for the verficiation process.

C Avoid collecting additional information unless needed. If needed a business can ask for more information and it can only be used for the purpose of verification and or security or fraud-prevention. This data should be deleted as soon as possible after processing the consumer request, except as requied in Section 999.317 to prove compliance.

D A business shall use reasonable security measures to detect fraud and protect personal information from unauthorized access.

E A business does not have to respond to requests regarding this information if the business maintains the data in a de-identified format.


§ 999.324. Verification for Password-Protected Accounts

A If a business maintains a password-protected account with the consumer, their identify can be verified through existing authentication practices, as long as Section 999.324 is followed. The consumer must re-authenticate themselves prior to turning over any information.

B If a business suspects fraudulent activity on or from the password protected account, further verficiation is required. The business may use the procedures described in Section 999.325 to further identify the consumer.

 

§ 999.325. Verification for Non-Accountholders

A If a consumer does not have or cannot access a password-protected account the business should comply with subsections B through G of this section, inadition to 999.323

B Regarding a request to know - A business must verify the consumer is who they say they are, to a reasonable certainty. A reasonable standard is matching 2 data points to the information the business has on hand.

C  Regarding a request to know - A business that requires a higher degree of certainty can request 3 pieces of ID that match the personal information on file for verification purposes with a signed declaration under penalty of perjury, that the consumer is who they say they are. All declarations should be kept on file.

D Regarding a request to delete - the business can use 2 standards to assess the sensitivity of the data - reasonable certainly or a high degree of certainty in order to delete the information requested. For example, deleting a family's photographs requires a high degree of certainty, while deleting their browser history may only require a reasonable degree of certainty. A business is expected to act in good-faith when verifying the consumer and follow the regulations in Article 4 of the CCPA.

E Examples:
(1) If a business maintains personal information in a manner associated with a named actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if the business maintains the consumer’s name and credit card number, the business may require the consumer to provide the credit card’s security code and identifying a recent purchase made with the credit card to verify their identity to reasonable degree of certainty.
(2) If a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. This may require the business to conduct a fact-based verification process that considers the factors set forth in section 999.323(b)(3).

F A business must inform consumers when a request is made or in the business' Privacy Policy, if they cannot verify a consumer based on the information they maintain. An explanation is required and an annual review to see if internal practices can change in order to allow for verification.

 

§ 999.326. Authorized Agent

A  When a consumer uses an authorized agent to submit a request to know or a request to delete, the business may ask for:
1 the consumers signed permission to do so, and
2 for the consumer to verify their own identity with the business.

B Sub-section A does not apply if the agent can prove power of attorney (Probate Code 4000 to 4465)

C A business can deny a request by an authorized agent if they cannot prove they have been authorized by the consumer to act on their behalf.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests

 

 

  

CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 2:00 PM
by Derek Lackey

§ 999.317. Training; Record-Keeping

A All individuals who handle consumer inquiries about privacy for the business must be trained in all aspects of CCPA.

B A business must retain records of all responses for at least a 24 month period.

C A business can use a ticket or logo format but should include the following details: the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

D As long as this retained data is not used for anything other than recordkeeping, keeping this data does not violate CCPA.

E This data shall not be used for any puprose other than recordkeeping.

F Aside from this purpose, CCPA does not require a business to keep any other details about a consumer.

G If you manage 4,000,000 data files or more in a single year:
1. you must compile, for the previous calendar year:
a. the # of requests to know recieved, including denials
b. the # of requests to delete recieved, including denials
c. the # of requests to opt-outs recieved, including denials
d. the median #of days a business required to respond to all requests.
2. Include the above details in their Privacy Policy or linked to a page on their website informing the public of the details.
3. A business must Establish, Document and Comply with a training policy to ensure that all individuals involved are properly trained to manage requests under CCPA.

 

§ 999.318. Requests to Access or Delete Household Information

A  A business may respond to a Request to Know or Request to Delete, as it pertains to household personal information, by providing aggregate household information, subject to verification requirements set forth in Article 4.

B If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements set forth in Article 4, then the business shall comply with the request.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

 

  

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 1:00 PM
by Derek Lackey

§ 999.314. Service Providers

A  A Service Provider (see Civil Code section 1798.140(v)) who provides services to a person or an organization that is not a business, shall be deemed a Service Provider under CCPA.

B If you help collect, use, disclose or sell personal information on behalf of another business, you are deemed a Service Provider under CCPA.

C  A Service Provider must inform consumers when collecting personal information for more than 1 client. 

D A Service Provider is not obligated to respond to consumer requests to know or delete, and should inform the consumer that it must make that request of the business who controls that data, making it as simple as possible to do so.

E A Service Provider must comply with CCPA on any personal information collected, not intended for a client they do business with.


§ 999.315. Requests to Opt-Out

A  A business must provide consumers with at least two methods of submitting a request to opt-out, including the mandatory "Do Not Sell My Info" clear and conspicuous button or link on their website. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism (preference centres) , that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.

B A business should consider the usual methods of communicating with their consumer when selecting the second method of submitting an opt-out request.

C If a business is online it should accept browser controls or preference centre selections as a valid request for opt-out.

D A business can offer a granular opt-out upon reciept of a request for opt-out as long as the global option is called out more prominently than the other options.

E A consumer should be opted out within 15 days of making the request.

F A business must inform all parties it sold the personal information to within 90 days of recieving the request to opt-out, of the consumer's choice to opt-out. The business will inform the consumer once this is complete.

G A consumer can appoint an Authorized Agent to opt-out and the appointment must be in writing. A business can deny a request for opt-out if the Agent cannot provide proof in writing that the consumer has provided consent for the Agent ot operate on his/her behalf. Preference centres and browser settings requests are considered direct from the consumer.

H A request to opt-out need not be a verifiable request. If, however a business has a good reason to believe the request is fraudulent, it can deny the request and inform the consumer of the reasons for their denial, including the proof that the request is considered fraudulent.

 

§ 999.316. Requests to Opt-In After Opting Out of the Sale of Personal Information


A If a consumer wishes to opt back in, the business must use a two-step process (double opt-in) to confirm their choice.

B  Should a business be presented with an offer that includes the personal information of a consumer who has opted out, they can inform the consumer and include instructions to opt back in, if they wish to.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

  

CCPA Explained: Part 4 - Privacy Policy

 Oct 14, 2019 11:00 AM
by Derek Lackey

§ 999.308. Privacy Policy


A  Purpose and General Principles
1. to be transparent with your practices regarding the collection, us, disclosure and sale of personal information. The Privacy notice should not use personal information to personalize the message.
2. shall be written in an easy to read format and be understandable to an average consumer.
a) use plain, straightforward language and avoid technical of legal jargon.
b) make it easy to read - including on a mobile device.
c) present it in the languages normally used on your website.
d) make it accessible to consumers with disabilities.
e) make it available in an alternative format so consumers can print it.

3. Post your Privacy Policy online via obvious links. If the business has a California-specific description of the consumers rights on it's website, the Privacy Policy must be included in that description (link). A business with no website should offer the Privacy Policy upon request.

B A business must include:
1. a description of the right to know about personal information being collected, disclosed or sold.
a) explain that you are aware that a consumer has the right to request disclosure of collection, uses, disclosure and sale of their data.
b) be clear about the process for requesting their rights.
c)  inform the consumer how you verify it is them.
d) regarding collection of personal information:
1. list the categories collected in the last 12 months.
2. for each category, provide the source where that data was collected. Include the commercial purpose for collecting that data and the categories of third parties it will be shared with. The notice should be in writing in an easy to understand format.
e) Regarding disclosure of the personal information:
1. state whether the data has been disclosed to a third party for business or commercial purposes, in the last 12 months.
2. List the categories shared or sold to third parties in the past 12 months.
3. State your position on selling the personal information of minors under the age of 16 without affirmative authorization.

2.  regarding the right to request deletion:
a) make it clear that a consumer has the right to request deletion of their personal information collected or maintained by a business.
b) tell the consumer how to submit a verifiable request to delete, providing links to forms if appropriate.
c) tell the consumer how you will verify their identity upon receiving a request.


3. Regarding the right opt-out of the sale of personal information:
a) clearly explain their right to opt-out of the sale of their personal information.
b) include a link to Section 999.306 that explains in detail.

4. regarding the consumer's right to non-discrimination for exercising their privacy rights:
a) explain clearly that a consumer has the right not to receive discriminatory treatment by the business for exercising their privacy rights.

5. Authorized Agents
a) state clearly that a consumer has the right to appoint an authorized agent to make a privacy request on behalf of the consumer.

6. Using a format your business typically uses to communicate with consumers, provide a contact person that a consumer can reach with any questions/concerns about their privacy policies and practices regarding your business.


7.  state the date the Privacy Policy was last updated.


8.  If subject to the requirements set forth section 999.317(g) (companies that collect and sell data of more than 4,000,000 consumers), the information compiled in section 999.317(g)(1) or a link to it. (logs of metrics for the previous calendar year)

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

 

 

  

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

 Oct 14, 2019 11:00 AM
by Derek Lackey

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete

 

A  A business should provide 2 or more designated methods for submitting Requests to Know, at minimum, an 800 phone number or a webpage link to a simple form. Can also provide an email address, the ability to make the request in person or a form submitted via mail.

B  A business should provide 2 or more designated methods for submitting Requests to Delete, at minimum, an 800 phone number or a webpage link to a simple form. Can also provide an email address, the ability to make the request in person or a form submitted via mail.

C These request processes should be similar to the way a business typically does business. 
(1) Example 1: If the business is an online retailer, at least one method by which the consumer may submit requests should be through the business’s retail website.
(2) Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods to submit requests to know—a toll-free telephone number, an interactive webform accessible through the business’s website, and a form that can be submitted in person at the retail location.

D When requesting deletion, a business must use a two-step process: first the consumer must submit the request for deletion and second, they must confirm they want their personal inofrmation deleted.

E  If a business does not interact directly with consumers in it's regular course of business, at least one method must be provided - usually a weblink to a simple form.

F If a request is received without using the provided formats, the business shall either:
1. treat the request as though it was submitted properly, or
2. provide the consumer with the simple forms to properly make the request.


§ 999.313. Responding to Requests to Know and Requests to Delete

A Confirmation of reciept of a request must be provided within 10 days with a clear statement of how the process will unfold, including the verification process to confirm the identity of the consumer making the request. A business should include when the next response should be expected, except in an instance where the business has already granted or denied the request.

B The entire process should not take more than 45 days from the date or reciept, including the verfication process. The business can request - in writing - an additional 45 days if it can provide notifcation of the reasons for the extension, to the consumer.

C Responding to Requests to Know
1. If a business cannot verify the identity of the consumer making the request, no personal information should be disclosed to the consumer.
2. Same for a request to know the categories of data being collected. A business should simply provide a link to their practices regarding the collection, use , disclosure and sale of personal inofrmation on their website.
3. A business should not breach it's own security protocols, nor harm the indidual by revealing personal information.
4. A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.
5.  A business can deny a request, in whole or in part, and should explain their actions to the consumer. If it is a partial denial, the rest of the information should be provided in the normal manner.
6.  A business should consider privacy and security when transmitting personal inofrmation to the consumer.
7. Information can be provided via a customer portal if the consumer already has a password, providing it meets security protocols.
8. the 12-month period covered by a consumer’s verifiable request to know referenced in Civil Code section 1798.130(a)(2) shall run from the date the business receives the request, regardless of the time required to verify the request.
9. A business cannot simply refer a request to know to the Corporate Policies regarding the personal information, categories of sources and or third parties involved. Each request requires a personailzed response.
10. In response to a request to know, categories of personal information, the business shall provide details (for every category) of:
a) the categories of sources from which the Personal Information was collected,
b) the purpose it was collected for,
c) the categories of third parties it was sold or disclosed to
d) the pupose of the sale or disclosure (what the buyer intends to do with it)

11. A business must use an easy to understand format of identifying the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information.

D Responding to Requests to Delete
1. If a business cannot verify the identity of a consumer making a request to delete, they may deny the request, opting instead to simply treat the request as a request to opt-out of the sale of their personal information.
2. To delete means to:
a) permanently and completeyly erasing the data in the sysytem and all back ups.
b) De-identifying the data
c) Aggregating the data
3. Backed data processes may delay response time of a request to delete until the next time the back up is archived.
4. A business should communicte to the consumer, how it deletes the data.
5. It should be clear that the business will maintain a record of the request to delete.
6. When a business denies a request to delete it shall:
a) inform the consumer of the denial and reasons for it.
b) delete any data that is not included in the denial.
c) Not use that consumer's data for anything except the reason it denied the request.
7. A business can offer the option to delete select portions of data rather than the entire file of personal information. A two-step confirmation process should be deployed.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

 

 

  

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

 Oct 12, 2019 12:00 PM
by Derek Lackey

Still in Article 2 - Notices to Consumers, in this chapter we deal with the notices required to inform consumers of their right to opt-out as well as offering a Financial Incentive to sell their data. While it is legal to do so, certain notices and transparency are required.

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information

A   Pupose and General Principles
(1) to inform consumers of their right to restrict the sale of their data
(2) easy to understand Opt-out must be offered
a. use plain, straightforward language  - no legal jargon.
b. draw attention to the notice
c. present it in the languages the site normally uses.
d. be accessible to consumers with disabilities.

B A business that sells personal information must provide a clear notice to opt-out and make it easy to do so.
(1) An obvious "Do Not Sell My Info" button with links to what could be sold by category, linked to that section of the privacy policy.
(2) Develop an offline method of informing as well.
(3) All obligations must be met in an offline solution.

C Language to include in your opt-out
(1) a description of the consumer's righ to opt-out
(2) a link to the website where they can opt-out
(3) clear and simple instructions of how to opt-out
(4) create an audit trail of opt-outs
(5) a link to the Privacy Policy

D Exemptions
(1) if your orgainzation does not and will not sell personal information.
(2) This is stated in the Privacy Policy. It is important to note here that a consumer whos personal data is collected during a period when a "Do Not Sell My Info" is NOT posted is deemed to have opted-out of their data being sold.

E Opt-Out Button or logo
(1) an example will be provided
(2) this Button or logo should be linked to the Privacy Policy and the webpage that captures their preference.

 

§ 999.307. Notice of Financial Incentive

A   Purpose and General Principles
(1) the purpose of this notice to explain the value proposition to the consumer so they can make an informed decision.
(2) shall be easy to read and understand
a. use plain, straightforward language - no technical or legal jargon.
b. use a format that draws consumer's attention.
c. make avaible in languages used on the website.
d. be accessible to consumers with disabilities.
e. place the notice where people can read it prior to opting in, both online and offline.
(3) the description can be a link to the section of the Privacy Policy that describes these incentives and the value proposition (in plain language).

B Elements to include in the Notice of Financial Incentives
(1) clear "sccint" summary of the offer
(2) details of the material terms including the categories of personal information affected.
(3) easy directions to opt-out now or in the future.
(4) inform consumers of their right to opt-out and how to do so.
(5) an explanation of why Financial Incentives is permitted under CCPA
a. a good faithh estimate of the value of the consumer's data that forms the basis for the transaction.
b. how that value is calculated.

 

In our next chapter we will provide what you need to know to craft a Privacy Notice in this new data protected environment.

 

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

 

 

  

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

 Oct 12, 2019 11:00 AM
by Derek Lackey

We write these chapters to assist organizations to effectively and efficiently IMPLEMENT new practices designed to take care of your prospect and customer while meeting the standards set by this new law. It begins with understand your obligations under the new CCPA.

Article 2. Notices to Consumers

§ 999.305 Notice at Collection of Personal Information

A. Purpose and General Principles
1. Categories of Personal Information and why you are collecting it.
2. Easy to read and understandable to an average consumer.
a) Use plain, straightforward language and avoid technical or legal jargon
b) a format that draws attention
c) in languages the business usually uses
d) accessible to consumers with disabilities
3. PI cannot be used for any purpose other than the stated purpose. If scope is revised, new permission must be requested.
4. Cannot collect more categories of PI than you are disclosing.
5. No notice. No collection.

B. Include the following in it's notice of collection
(1) list of categiries about to be collected written in a way it can be understood.
(2) each category and a statement how it will be used.
(3) if the business sells information - Do Not Sell My Info must be added
(4) a link to the privacy policy

C. Notice at collection may be a link to the section of the privacy policy that contains th info required.

D.  If you did not collection the Personal Information yourself you should:
(1) Contact the person with a notice to opt-out
(2) Contact the source of the information to:
a. confirm a Notice at Collection was executed orginally.
b. Obtain a written description of how Notice was provided with an example of the notice. This should be kept for at least 2 years.

This is easy to grasp and with paragraph C, very easy to implement. All you need to do is add these categories and use statements to your privacy policy and create a link BEFORE your fields on your webform. For every category of data you collect, an organization should write a paragraph in their privacy policy describing why it is being collected and how it will be used. As we can see where this is all heading, add how long you intend to keep it and you will be ready for the next wave of data protection laws, which you can bet will follow the CCPA shortly.

You may also wish to read:

CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

 

  
1 2 »