California Consumer Privacy Act of 2018/Consumer Privacy Rights Act of 2020

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> I'm Chris and I'm Cybrary's instructor
00:00
for this US information privacy course.
00:00
In Lesson 9.2,
00:00
we're going to begin our look at
00:00
specific consumer privacy laws and
00:00
other data privacy laws passed
00:00
here in the United States to protect residents.
00:00
Now, we must begin discussion with a brief discussion on
00:00
the California Consumer Privacy Act of 2018
00:00
as amended and then to propose ballot initiative,
00:00
the Consumer Privacy Rights Act of 2020,
00:00
if approved on the 3rd of November, 2020,
00:00
will significantly amend
00:00
the California Consumer Privacy Act in 2018.
00:00
For those familiar with its history,
00:00
it is the CCPA as it's known of
00:00
that was passed in 10 days,
00:00
initiated by our [inaudible]
00:00
and other members that we're concerned about
00:00
the way businesses in California we're
00:00
handling and processing and protecting consumer privacy.
00:00
It was placed on the ballot and approved in 2018.
00:00
However, whenever you write a law in 10 days,
00:00
there are going to be ambiguities and
00:00
imperfections that have to be dealt with later.
00:00
We know that in 2018,
00:00
the act itself underwent
00:00
several amendments and then in 2019,
00:00
it reviewed several other proposed amendments.
00:00
Five of those that were submitted to the desk of
00:00
California Governor Newsom that approved five of those.
00:00
It was then kept that they would
00:00
give businesses they had to comply
00:00
with the CCPA two years in which to prepare for
00:00
its enforcement on January 1st of 2020.
00:00
Another requirement was that
00:00
the attorney general would issue a set of
00:00
final regulations to give greater clarity to
00:00
those businesses that had to comply with this act.
00:00
We have several learning objectives.
00:00
We're going to talk about a brief overview
00:00
again of the CCPA.
00:00
Will talk about the CCPA in greater detail and then
00:00
we'll talk about the CPRA as proposed,
00:00
which is now on the California ballot date 3
00:00
November ballot for
00:00
consideration by California residents.
00:00
Let's talk about the CCPA.
00:00
As I said, it was signed on June 28th of 2018.
00:00
It was there to provide greater privacy protections
00:00
to consumers or residents in the State of California.
00:00
It gave specific definitions
00:00
for what constituted personal information,
00:00
names, social security numbers,
00:00
other types of identifiers, bio-metric information,
00:00
geolocational information, in some cases,
00:00
professional and educational information in some cases.
00:00
It's quite extensive.
00:00
Many people believed that the CCPA is
00:00
a mirror image of the GDPR, which it is not.
00:00
It takes some provisions from the GDPR,
00:00
but it is a separate law.
00:00
It defines those businesses that
00:00
are licensed to operate in the State of California,
00:00
whether they're e-commerce or
00:00
physically located in the state.
00:00
They have to meet one of
00:00
three criteria that they earn
00:00
over 25 million dollars in annual revenue.
00:00
The final regulations approved
00:00
on August 14th of 2020 clarified that again at MIT,
00:00
any revenues and not just revenues
00:00
within the State of California.
00:00
Or if that business collected
00:00
information from 50,000 individuals,
00:00
50,000 households, or 50,000 devices,
00:00
to include visits to websites,
00:00
IP address, and of the like.
00:00
Now there were other requirements in
00:00
the CCPA that gave rights to individuals.
00:00
The right to access their information and correct
00:00
once they were verified to have
00:00
the ability to correct that information.
00:00
The businesses themselves,
00:00
also one of the requirements
00:00
was if you earn more than half of
00:00
your annual revenues from the sale of
00:00
California resident PI to
00:00
third parties than you too had to comply with this law.
00:00
Now, the CCPA also defines a California resident not
00:00
just by consuming it purchases a good or a service,
00:00
is that anyone domiciled
00:00
in the State of California permanently,
00:00
although it had a provision that way you can
00:00
lead the state temporarily,
00:00
it's still pretty protected under the CCPA.
00:00
But you couldn't be a transient
00:00
just passing through the state
00:00
or in the state temporarily to be under is protections.
00:00
It gave protections to children that they had a right
00:00
to know what information was being sold to third parties.
00:00
If they were between the age of 13-15, that again,
00:00
those children had the right to
00:00
opt out of having their information
00:00
shared with third parties.
00:00
If you were below the age of 13, then again,
00:00
you had to have verifiable legal guardian
00:00
or parental consent.
00:00
CCPA also has requirements for notification that you have
00:00
to give notification to individuals under the law,
00:00
that told them about their rights.
00:00
Again, the responsibilities of companies,
00:00
how they might submit
00:00
complaints and disputes and of the like.
00:00
The CCPA also had a requirement that
00:00
said that anyone that was handling information,
00:00
employees and others and
00:00
those companies that had to comply with
00:00
the CCPA then again
00:00
they had to have appropriate training.
00:00
It said that once you verify the identity of
00:00
an individual and you had to provide
00:00
that information to them within a portable format.
00:00
The CCPA said you couldn't discriminate against
00:00
those individuals that sought to exercise their rights,
00:00
offers retaliate against them
00:00
based on their right of refusal.
00:00
The CCPA said that also that,
00:00
for those companies that had to comply had
00:00
to create abilities for individuals to submit requests.
00:00
They'd have two ways of doing that,
00:00
either by calling a toll-free number or by having
00:00
links placed on the websites so that they can
00:00
use with instructions on how to
00:00
opt out of the sale of their information.
00:00
Individuals also have a right to request erasure of
00:00
their information in certain circumstances.
00:00
The CCPA sets a time limit
00:00
in which these companies or businesses,
00:00
as they're called, have to respond to those requests.
00:00
The CCPA also identifies what's
00:00
known as service providers,
00:00
business that are providing services to
00:00
these businesses but aren't processing,
00:00
storing, or handling any PI or
00:00
personal information on the behalf
00:00
of those covered entities.
00:00
Those are just some of the high-level requirements
00:00
stated with the CCPA.
00:00
I'd be remiss to say that the attorney general did submit
00:00
his initial set of
00:00
final regulations to the Office of Administrative Law in
00:00
March of 2020 and after a period of
00:00
public response and also further reviews,
00:00
he submitted it to the OAL for it's review
00:00
and approval in June of 2020.
00:00
It was in August of this year that the final set was
00:00
approved and full enforcement
00:00
began on the behalf of the California AG,
00:00
not to say that he wasn't already doing so.
00:00
The regulations themselves,
00:00
and I encourage you to read those.
00:00
You can find them on the California AG website,
00:00
provide clarifications where some
00:00
of the CCPA's provisions,
00:00
and I encourage you to read those.
00:00
Now, when we talk about
00:00
the California Privacy Rights Act of 2020,
00:00
it has been proposed,
00:00
again that was placed on the ballot after over
00:00
900,000 Californians approved adding it to the ballot.
00:00
We're not sure if it's going to pass but if it does,
00:00
it's going to significantly amend the CPRA.
00:00
It's going to propose that the creation of
00:00
a California Privacy Protection Act.
00:00
It expands
00:00
the individual rights for California consumers.
00:00
It also requires that now
00:00
these companies that have to post a
00:00
do not sell my personal information link and they also
00:00
consider adding do not
00:00
sell a share my personal information.
00:00
It has no obligations or restrictions on
00:00
businesses and service providers.
00:00
I encourage you to review language about the CCPA.
00:00
I'm as you were CPRA is a mouthful,
00:00
and and look forward to the third of November,
00:00
the CEF again, Californians vote
00:00
in favor of this game changing act.
00:00
Question 1 asks,
00:00
the CCPA defines a business as what?
00:00
The appropriate answers are.
00:00
A, B, and C. Question 2,
00:00
asks, the CPRA
00:00
introduces a new consumer privacy proposal.
00:00
What new consumer privacy proposals?
00:00
That's my apologies.
00:00
The answers are A, B,
00:00
C, and D. Again,
00:00
there are others and I encourage you to look and
00:00
review language about to CPRA.
00:00
In summary, we have two laws that are
00:00
game changing from a privacy perspective,
00:00
the CCPA and to propose CPRA.
00:00
They have taken, aspects of international laws
00:00
and proved the ability to
00:00
protect their residents consumer privacy.
Up Next