Tag Archives: CCPA

Cali AG Tells Us About His CCPA Hot Buttons

California AG Rob Bonta has been enforcing the California Consumer Privacy Act for over a year now and we are learning what he doesn’t like.

One bit of good news that we learned is that notices of violations that he sends out triggers a 30 day cure period and that seems to be working.

He said that 75% of the businesses that received a notice fixed the violation. Some of the rest are still in that 30 day period. The remaining, well, they are in trouble.

He published a list of 27 case examples of non-compliance and why. The examples are anonymous. It appears that he is trying not to turn non-compliant businesses into villains – as long as they clean up their acts. This is a good thing for businesses.

As a warning, a lot of the notices were related to privacy policy issues.

There is some argument about opt out, however, and hopefully that will get cleared up. Soon. The AG says that businesses have to comply with global opt out flags that some browsers can send.

Businesses don’t like that. They want to make it as hard as possible, if not impossible, for consumers to screw up their business model. In fact, a number of the examples that the AG talked about were related to that specifically – that companies were making it hard to opt out.

The conflict with the global opt out flag is that the CPRA (think of that as CCPA revision 2) allows businesses to choose between honoring global opt out OR via a DO NOT SELL link.

Obviously businesses figure if people have to opt out a hundred times a day and try to remember where they opted out and where they didn’t they will get tired of that and let businesses continue to sell their data. This is versus setting a one time flag and not having to worry about it ever again. This does not appear to be a technical issue, but rather a desire not to have their apple cart turned over if a lot of people say don’t sell my data.

The AG, however, has created an online privacy tool. Using this tool, a California resident can answer a few questions and if the business fails, the tool collects information to identify who is complaining, what the business is and creates a draft notice for the consumer to send to the business.. Note that filling out this form does not mean the business is a scofflaw, but it does put the business on the AG’s radar.

It is important to understand that this 30 day cure period goes away when CPRA goes into effect on January 1, 2023, so consider this a gift and not a way of avoiding the problem.

Credit: Ballard Spahr

What Comes After California’s CCPA?

In 2003 California passed Senate Bill 1386 (SB-1386). It was the first online privacy law in the U.S. What followed, over the next 17 years, was that every state in the nation implemented a law, generally modeled after SB-1386.

In 2018 California, sort of with a gun to its head, passed CCPA. Again a first in the land, CCPA was modeled after Europe’s GDPR, with a few twists and turns.

Since CCPA was passed under duress, the legislature decided to fiddle with it a bit after it was passed. In addition, the Attorney General, who didn’t get much money in the deal, decided that he effectively was not going to enforce it.

Based on all of that, the original backer of CCPA, Alastair MacTaggart, went back to the original plan and created a new ballot measure on the ballot this year – Proposition 24. That measure passed last week. So what does it bring to the party? Here are a few things; stay tuned for more details.

  1. Since the AG didn’t seem to want to enforce CCPA before, this measure created a new department – the California Privacy Protection Agency – with a $10 million budget.
  2. It closed the Facebook loophole in CCPA. They said they didn’t sell your data, just used it to target you, so CCPA did not apply. It does now.
  3. Adds some protections for “sensitive data,” but weakens protections for biometric data.
  4. Takes steps towards ensuring algorithmic transparency and fairness.
  5. Provides some data minimization requirements.
  6. Permits “pay for privacy” schemes – it allows companies to offer discounts in exchange for permission to collect and use personal data. This undermines privacy rights and discriminates against individuals who are economically disadvantaged. More about this later. Some people are hung up over this one.
  7. Does not allow for an expanded private right of action.

Unlike CCPA which the legislature can change on a whim, Prop 24 has language in it that says the legislature can fiddle with it, but only if the fiddling is privacy neutral or privacy enhancing.

One complaint from the fairness crowd is that CCRA (Prop 24) is not fair because it allows companies that want to sell your data to charge you more if you don’t want them to use your data. This, they say, will create two data classes – the rich who can afford privacy and the rest of us who cannot.

This is just a start – I will continue to talk about this over time.

Also consider that more states will consider CCPA/CCRA- style laws after this ballot measure was approved.

Note that the proposition does not go into effect until 2023, so there is still plenty of time for everyone to fight over it. Credit: EPIC, ACLUNC

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

What Does California’s New Privacy Law Mean to the Average Person

California’s new privacy law, CA AB 375 or the California Consumer Privacy Act (CCPA) along with it’s attendant modifications and rules goes into effect next week.  As companies scurry around to meet the January 1, 2020 deadline, here is some information on what CCPA means to the average resident of California and elsewhere.

While CCPA is still a bit of a work in progress, we need to put a fork in it anyway.

Why is it important?

This is the first time anyone, anywhere in the United States, has any “rights” to their data. While residents of the European Union have enjoyed rights to their data for about 18 months, and the world has not ended. This is a new adventure in the United States.

What Data Does This Cover?

It covers all the things you would expect like drivers license numbers, bank account information and your Social Security number, but it also covers a lot of other information.  All biometrics are covered (like your iris scan, fingerprints and DNA).  Also your IP address and other identifiers used to track you on the Internet.  Even how you smell is covered.  Data extracted DIRECTLY from public government records is not covered.

Can I Tell Those Social Media Giants to Delete Me?

You can, but I guarantee that they are going to try and discourage you or fool you.  You don’t REALLY want us to delete your stuff – how about if we take your name off it; surely that is good enough.  But you can ask them to delete it and they MUST do it.

What if they don’t do it?

The law allows for a $2,500 fine per violation or three times that if it is intentional.  But the catch is that fine can only come from the Attorney General and he doesn’t seem that keen to enforce it.  He is, however, a politician, so if there is political pressure or if he thinks that attacking some company will help get him reelected, it is game over.  The law didn’t give him extra budget or people to enforce it.

What about if there is a breach?

That is a chicken of a different color.  If there is a breach, any California resident can sue (or be part of a class action) for up to $750 per person affected, without having to show that they were damaged, or more if they can show that.

Expect there to be a cottage industry of attorneys in California going after breached companies.

Also, this right cannot be waived, so those shrink wrap agreements that no one reads – the ones that ban class action participation or lawsuits vs. arbitration – when it comes to this, they can’t be enforced.

Can I still use Facebook if I tell them not to sell my data?

They might be able to strip down the services, but only to the extent that they can show how much your data is worth to them.  If they want to charge you, they also have to show how much your data is worth.  Optics being what it is, I doubt very many businesses want the negative PR.  They are just hoping that not very many people opt out.

What if I don’t live in California?

Technically you can’t take advantage of the law.  BUT, you can see what is in the CCPA documents – what data they are collecting and how they are using it, for example.

Also, some companies are offering CCPA coverage to all residents of the U.S.  Microsoft is one of those companies.  In that case, the companies are voluntarily giving you the same rights, even though the law doesn’t force them to .

There will likely be a lot more  information coming out, so stay informed.  This is likely a dawn of a new era.

Unless Congress passes a weak national privacy law which overrides stricter state laws.  Congress is talking about this, but it is a very sticky political subject so I am not counting on this.  Still, no one is safe while Congress is in session.  Source: CNet





Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico