Need to Inform

Video Activity
Start your free 3-day trial and become one of the 3 million Cybersecurity professionals advancing their career goals
Sign up with
OR

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:01
welcome everyone to lessen 4.3 as we discussed the need to inform the consuming public of your data handling practices.
00:09
The learning goals and objectives for less than 4.3 will be to review the notice requirements that are separate keyword. They're separate from the privacy policy.
00:19
We will then transition into how to operationalize notice obligations.
00:24
I feel for you
00:25
lesson 4.2 and 4.1. We're very pie in the sky and conceptual.
00:30
Ideally, in this lesson, we will get a little more granular and give you specific operational advice
00:36
than a quick programming note.
00:38
Essentially our third objective. All things cooking notice related that's actually going to be addressed in module six.
00:45
Keep an eye out for that because that is also a very important sub topic as it relates to the need to inform.
00:51
But we're going to park it and put it in less than six so that all things cookies are discussed in one coherent module.
00:58
When you are about to collect information, you need to inform your consumers that you are going to do so.
01:03
The CCP a specifically requires and I am ripping that from the text of the law itself
01:08
that you provide individuals at or before the point of collection notice of the categories of personal information it meaning the business will collect.
01:19
This is to be absolutely clear, separate from the privacy policy
01:23
you need to build it. Your company mechanisms. Whenever there is the point of capture the point of collection, some sort of flash notice that a consumer is about toe have their personal information collected.
01:34
You need to inform them of the categories,
01:38
then item number two,
01:40
the purposes for which each category of personal information will thereafter be used.
01:46
I recommend the easiest way again is to do data mapping exercises.
01:51
Previously, I talked about outbound data transfer flows.
01:55
What we are discussing here are inbound data transfer flows identifying what entry points for personal information are within your network.
02:04
Where does the information come from?
02:06
If there is some sort of avenue from which personal information flows through and there isn't a notice right there that it filters through, that is a CCP a compliant gap.
02:15
Please keep an eye on it.
02:17
So
02:19
how do we operationalize all of this?
02:22
There is no specific CCP a guidance on how to provide consumers notice that their personal information is going to be collected.
02:30
The only guidance we have is that you need to identify the categories, and the reasons for the collection and how it's going to be used
02:38
in your experience is you probably have actually noticed some of these notices no pun intended.
02:46
Let's go through it
02:46
in the top left. I actually want to call this one out.
02:50
I recall very frequently when checking into conferences,
02:53
there might be an individual. They're telling me that my personal information is going to be collected at that conference in some sort of way.
03:00
Usually I have to initial something.
03:02
That's the mechanism.
03:05
I'm driving that point home because the CCP A usually exists in a digital context.
03:09
But don't forget. It also applies to in person data collection as well.
03:15
Please keep an eye on it.
03:16
We're not just talking about computers.
03:19
The C C P. A. Applies to the physical world as well
03:23
on the top right of your screen. Perfect example.
03:24
An individual is surfing through the Internet or is perhaps engaging in and behind the counter section of a website or some sort of software offering
03:35
at that point where the personal information is about to be collected.
03:38
Boom. You need to put up a notice because personal information is going to be collected and the individual needs to be aware of it.
03:46
Please keep in mind here.
03:47
By the way, I'm not using the word consent.
03:52
At no point have I ever said hopefully that the C C p. A. Requires that you obtain the consent of a consumer before you collect their personal information.
04:00
That is not true.
04:02
It is. The case under the GDP are because you have to establish a legal basis.
04:08
We'll get more to that in module nine,
04:10
not under the C c. P. A.
04:12
We're only talking about providing them notice.
04:15
If they continue to surf the Web or continue Thio, interact with you in some way, then that's just fine.
04:20
All you need to do is to provide them notice.
04:26
You also need to provide secondary notice.
04:29
If, at any point individuals are going to suddenly be providing new categories or additional categories of personal information that the first notice did not address,
04:38
you need to provide them what's called secondary notice.
04:42
For some reason, this is actually a big trap for companies.
04:46
They provide a notice on the front end. When someone is perhaps logging into whatever SAS offering it happens to be,
04:51
then, once they're within the environment, the user is then providing additional unforeseen categories of personal information
05:00
that would be actually a violation of the CCP A. Because you, as the saying goes, need to ensure that notice is in fact being reflected as an ongoing obligation because you must always be providing notice to consumers when new categories of personal information are being collected
05:19
in summary
05:20
notice. Obligations exist well beyond the privacy policy.
05:25
Please keep an eye on that.
05:26
The privacy policy is not enough to bring you home.
05:30
You need to have developed and deployed mechanisms to provide noticed your consumers at all entry points for your network.
05:36
Hopefully, we've identified for you some quick tips on how to satisfy those notice obligations. But again,
05:42
I have to tell you, you really need to do some data mapping exercises to identify where that information is coming from.
05:48
A great way to obviously do that is. Take a look at your own employer.
05:54
See where personal information is entering your network,
05:57
perhaps switch seats and assumed the role of a user or just a general member of the consuming public and identify how information eventually lands in your network.
06:04
If at any point, there is not some sort of notice on the part of the consumer where they can see how information is going to be collected, the categories etcetera,
06:13
then that, yes is a CCP a compliance gap.
06:16
Please keep an eye on it
06:18
that summarizes everything in this lesson.
06:21
I'll see you in the next one.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By