Tag Archives: CCPA

What Comes After California’s CCPA?

In 2003 California passed Senate Bill 1386 (SB-1386). It was the first online privacy law in the U.S. What followed, over the next 17 years, was that every state in the nation implemented a law, generally modeled after SB-1386.

In 2018 California, sort of with a gun to its head, passed CCPA. Again a first in the land, CCPA was modeled after Europe’s GDPR, with a few twists and turns.

Since CCPA was passed under duress, the legislature decided to fiddle with it a bit after it was passed. In addition, the Attorney General, who didn’t get much money in the deal, decided that he effectively was not going to enforce it.

Based on all of that, the original backer of CCPA, Alastair MacTaggart, went back to the original plan and created a new ballot measure on the ballot this year – Proposition 24. That measure passed last week. So what does it bring to the party? Here are a few things; stay tuned for more details.

  1. Since the AG didn’t seem to want to enforce CCPA before, this measure created a new department – the California Privacy Protection Agency – with a $10 million budget.
  2. It closed the Facebook loophole in CCPA. They said they didn’t sell your data, just used it to target you, so CCPA did not apply. It does now.
  3. Adds some protections for “sensitive data,” but weakens protections for biometric data.
  4. Takes steps towards ensuring algorithmic transparency and fairness.
  5. Provides some data minimization requirements.
  6. Permits “pay for privacy” schemes – it allows companies to offer discounts in exchange for permission to collect and use personal data. This undermines privacy rights and discriminates against individuals who are economically disadvantaged. More about this later. Some people are hung up over this one.
  7. Does not allow for an expanded private right of action.

Unlike CCPA which the legislature can change on a whim, Prop 24 has language in it that says the legislature can fiddle with it, but only if the fiddling is privacy neutral or privacy enhancing.

One complaint from the fairness crowd is that CCRA (Prop 24) is not fair because it allows companies that want to sell your data to charge you more if you don’t want them to use your data. This, they say, will create two data classes – the rich who can afford privacy and the rest of us who cannot.

This is just a start – I will continue to talk about this over time.

Also consider that more states will consider CCPA/CCRA- style laws after this ballot measure was approved.

Note that the proposition does not go into effect until 2023, so there is still plenty of time for everyone to fight over it. Credit: EPIC, ACLUNC

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

What Does California’s New Privacy Law Mean to the Average Person

California’s new privacy law, CA AB 375 or the California Consumer Privacy Act (CCPA) along with it’s attendant modifications and rules goes into effect next week.  As companies scurry around to meet the January 1, 2020 deadline, here is some information on what CCPA means to the average resident of California and elsewhere.

While CCPA is still a bit of a work in progress, we need to put a fork in it anyway.

Why is it important?

This is the first time anyone, anywhere in the United States, has any “rights” to their data. While residents of the European Union have enjoyed rights to their data for about 18 months, and the world has not ended. This is a new adventure in the United States.

What Data Does This Cover?

It covers all the things you would expect like drivers license numbers, bank account information and your Social Security number, but it also covers a lot of other information.  All biometrics are covered (like your iris scan, fingerprints and DNA).  Also your IP address and other identifiers used to track you on the Internet.  Even how you smell is covered.  Data extracted DIRECTLY from public government records is not covered.

Can I Tell Those Social Media Giants to Delete Me?

You can, but I guarantee that they are going to try and discourage you or fool you.  You don’t REALLY want us to delete your stuff – how about if we take your name off it; surely that is good enough.  But you can ask them to delete it and they MUST do it.

What if they don’t do it?

The law allows for a $2,500 fine per violation or three times that if it is intentional.  But the catch is that fine can only come from the Attorney General and he doesn’t seem that keen to enforce it.  He is, however, a politician, so if there is political pressure or if he thinks that attacking some company will help get him reelected, it is game over.  The law didn’t give him extra budget or people to enforce it.

What about if there is a breach?

That is a chicken of a different color.  If there is a breach, any California resident can sue (or be part of a class action) for up to $750 per person affected, without having to show that they were damaged, or more if they can show that.

Expect there to be a cottage industry of attorneys in California going after breached companies.

Also, this right cannot be waived, so those shrink wrap agreements that no one reads – the ones that ban class action participation or lawsuits vs. arbitration – when it comes to this, they can’t be enforced.

Can I still use Facebook if I tell them not to sell my data?

They might be able to strip down the services, but only to the extent that they can show how much your data is worth to them.  If they want to charge you, they also have to show how much your data is worth.  Optics being what it is, I doubt very many businesses want the negative PR.  They are just hoping that not very many people opt out.

What if I don’t live in California?

Technically you can’t take advantage of the law.  BUT, you can see what is in the CCPA documents – what data they are collecting and how they are using it, for example.

Also, some companies are offering CCPA coverage to all residents of the U.S.  Microsoft is one of those companies.  In that case, the companies are voluntarily giving you the same rights, even though the law doesn’t force them to .

There will likely be a lot more  information coming out, so stay informed.  This is likely a dawn of a new era.

Unless Congress passes a weak national privacy law which overrides stricter state laws.  Congress is talking about this, but it is a very sticky political subject so I am not counting on this.  Still, no one is safe while Congress is in session.  Source: CNet

 

 

 

 

Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Business Roundtable Lobbying Group Wants Weak National Privacy Law

O P I N I O N

50 Very Data Hungry CEOs (Out of About 30 Million) Try to Fool Congress into Letting Them Abuse Your Data

A group of big data CEOs wrote a letter to Congressional leaders requesting a Federal privacy law which would usurp the state’s rights to protect their consumers as they see fit.

A spokesperson for Facebook responded several months ago to a reporter’s question about a New York bill requiring companies to be a data fiduciary with the response that if the bill passed (it didn’t), Facebook might as well shut down in New York.  The spin doctors tried to walk that back the next day, but the reality is, if that law passed, it would require Facebook and companies like them to change their business models.

In fairness, it is difficult for companies to keep up with all the privacy laws (we help companies do that), but unless your business model requires that you sell your customer’s data to stay in business, complying is manageable, but it does take work.  Unfortunately, the Facebooks and Googles of the world have made things more complex for everyone else.

The state of data privacy is roughly in the same place that cybersecurity was in after California passed it’s landmark security bill (CA SB 1386) in 2003.  SB 1386 is the model that every other state drew from for enact their security laws.  Now CA AB 375 (the new California Consumer Privacy Act) has already begun this process over again with privacy laws.

Even though they don’t say this, what they really want is for Congress to pass a law because they know that their lobbying billions will allow them to buy a very weak law that will nullify laws like the ones in California, New York, Nevada, Vermont and other states.

The longer Congress doesn’t act, the more states will pass strong privacy laws, because that is what consumers want and the harder it will be to get votes at the national level to obliterate rights people already have – hence the urgency from these CEOs.

The California law would allow people to sue businesses that have breaches, which would dramatically change the economics of lax security practices – right now, at the federal court level, you have to prove that you have been tangibly damaged to sue after a breach.  The defense that some companies are using is that there are so many breaches, how do you know that your damage was from our breach.  The California law removes that requirement to prove that the consumer had tangible damages.  That alone scares the crap out of the Facebooks and Googles – and it should.

They are trying to pass this off as stopping consumers from being confused about their rights (like the right to tell Facebook not to sell your data – that is certainly confusing and hard to understand), but that is completely bull.  The 6 rights that the California law gives consumers are each spelled out in one sentence and are easy to understand. For example:

  • The right to know what data a company has and to get a copy of it
  • The right to request that my data be deleted subject to a list of exclusions
  • The right to stop a company from selling my data
  • The right to equal price and service even if I tell you not to sell my data

And a couple of more rights.  These rights are easy to understand and the real problem for CEOs like Amazon’s Jeff Bezos is that people will likely actually use these rights and that might force companies like Amazon to change their business models.

If companies are transparent about their data collection practices, then this is a pretty simple choice.  People can choose to do business with companies that want to sell their data.  Or not.

One thing that makes this conversation different than the conversation around security in 2003 is that places like Europe, Japan and a significant number of others have already given their consumers these rights, so the big data companies already have to deal with this.  No matter what happens in the US, this will happen in the rest of the world.

At that point, as we are already beginning to see, the lack of a strong national privacy law in the US makes it MORE difficult and MORE expensive for US companies to compete in the rest of the world.

In Europe, the first EU/US privacy agreement, Safe Harbor, was struck down by the EU courts as not protecting EU citizens’ rights.  That was replaced by Privacy Shield (which many people say was just Safe Harbor with lipstick) and Privacy Shield is being attacked in the EU courts.  We do not know the outcome of that court battle, but we will soon.  If the courts strike down or force substantial changes to Privacy Shield, that will make the arguments of these 50 CEOs even less intelligent.    Many companies have already decided that it is cheaper, simpler and better PR to have one set of consumer friendly privacy policies worldwide.

Stay tuned;  this will not end any time soon.

Source: C-Net.

NOTE:  This is likely a hot button topic for folks.  Please post your comments to this.  I promise to approve any comment that is moderately sane and rated PG or less.