welcome everyone to lessen 4.3 as we discussed the need to inform the consuming public of your data handling practices.
We will then transition into how to operationalize notice obligations.
lesson 4.2 and 4.1. We're very pie in the sky and conceptual.
Ideally, in this lesson, we will get a little more granular and give you specific operational advice
than a quick programming note.
Essentially our third objective. All things cooking notice related that's actually going to be addressed in module six.
Keep an eye out for that because that is also a very important sub topic as it relates to the need to inform.
But we're going to park it and put it in less than six so that all things cookies are discussed in one coherent module.
When you are about to collect information, you need to inform your consumers that you are going to do so.
The CCP a specifically requires and I am ripping that from the text of the law itself
that you provide individuals at or before the point of collection notice of the categories of personal information it meaning the business will collect.
you need to build it. Your company mechanisms. Whenever there is the point of capture the point of collection, some sort of flash notice that a consumer is about toe have their personal information collected.
You need to inform them of the categories,
then item number two,
the purposes for which each category of personal information will thereafter be used.
I recommend the easiest way again is to do data mapping exercises.
Previously, I talked about outbound data transfer flows.
What we are discussing here are inbound data transfer flows identifying what entry points for personal information are within your network.
Where does the information come from?
If there is some sort of avenue from which personal information flows through and there isn't a notice right there that it filters through, that is a CCP a compliant gap.
Please keep an eye on it.
how do we operationalize all of this?
There is no specific CCP a guidance on how to provide consumers notice that their personal information is going to be collected.
The only guidance we have is that you need to identify the categories, and the reasons for the collection and how it's going to be used
in your experience is you probably have actually noticed some of these notices no pun intended.
in the top left. I actually want to call this one out.
I recall very frequently when checking into conferences,
there might be an individual. They're telling me that my personal information is going to be collected at that conference in some sort of way.
Usually I have to initial something.
That's the mechanism.
I'm driving that point home because the CCP A usually exists in a digital context.
But don't forget. It also applies to in person data collection as well.
Please keep an eye on it.
We're not just talking about computers.
The C C P. A. Applies to the physical world as well
on the top right of your screen. Perfect example.
An individual is surfing through the Internet or is perhaps engaging in and behind the counter section of a website or some sort of software offering
at that point where the personal information is about to be collected.
Boom. You need to put up a notice because personal information is going to be collected and the individual needs to be aware of it.
Please keep in mind here.
By the way, I'm not using the word consent.
At no point have I ever said hopefully that the C C p. A. Requires that you obtain the consent of a consumer before you collect their personal information.
It is. The case under the GDP are because you have to establish a legal basis.
We'll get more to that in module nine,
not under the C c. P. A.
We're only talking about providing them notice.
If they continue to surf the Web or continue Thio, interact with you in some way, then that's just fine.
All you need to do is to provide them notice.
You also need to provide secondary notice.
If, at any point individuals are going to suddenly be providing new categories or additional categories of personal information that the first notice did not address,
you need to provide them what's called secondary notice.
For some reason, this is actually a big trap for companies.
They provide a notice on the front end. When someone is perhaps logging into whatever SAS offering it happens to be,
then, once they're within the environment, the user is then providing additional unforeseen categories of personal information
that would be actually a violation of the CCP A. Because you, as the saying goes, need to ensure that notice is in fact being reflected as an ongoing obligation because you must always be providing notice to consumers when new categories of personal information are being collected
Please keep an eye on that.
You need to have developed and deployed mechanisms to provide noticed your consumers at all entry points for your network.
Hopefully, we've identified for you some quick tips on how to satisfy those notice obligations. But again,
I have to tell you, you really need to do some data mapping exercises to identify where that information is coming from.
A great way to obviously do that is. Take a look at your own employer.
See where personal information is entering your network,
perhaps switch seats and assumed the role of a user or just a general member of the consuming public and identify how information eventually lands in your network.
If at any point, there is not some sort of notice on the part of the consumer where they can see how information is going to be collected, the categories etcetera,
then that, yes is a CCP a compliance gap.
Please keep an eye on it
that summarizes everything in this lesson.
I'll see you in the next one.