The learning goals and objectives for this course,
We will review all 11.
I have to apologize at the outset.
There really is no other way to present this information to you than to run through all 11.
I apologize in advance if it might come off as laborious, but we will get through it. I hope, as informative Lee as possible.
Let's jump right into it.
Requirement number one.
Those are all the rights that identified for you in Module three.
Because most people just have no idea what rights they have under the c. C. P. A. And it is the responsibility of the business. I you to tell them that they have those rights.
You also, by the way, need to include non CCP a rights. Assuming your business is subject to a non CCP a type privacy law,
usually that's going to be the GDP are
You need to explain that the consumers how they are able to exercise their rights if they choose to do so.
We will discuss further and modulate the methods that consumers can pursue to exercise their rights.
Requirement number three.
You must inform consumers of the categories of personal information that the business collects.
If you recall in Module three, we discussed how access requests pertain to categories as well as the underlying pieces of information.
This right here, my friends,
is frequently a trap.
you are going to get fined.
This needs to be accurate.
Moving on to requirement number four.
The categories of personal information that your business has sold needs to also be declared.
You need to put that separately.
It's the categories of information that your business collects, and then you separately declare any categories of personal information that your business cells.
Now, if you believe in your heart of hearts that your business does not sell information, you are also, by the way, welcome. And I encourage you to discuss that with the privacy consultant, a privacy lawyer or your other stakeholders
that that is not the case.
again. That's a trap, my friends.
You need to make sure that that is, in fact, accurate that you do not sell personal information.
If it is later discovered that you do
you're going to get fined
requirement. Number five
the categories of personal information that your business discloses to a third party.
notice a trend here, but there is a difference.
There could be categories of personal information that you sent off to your vendors, but
that's not necessarily a sale.
You need to again list that separately. I strongly recommend you go through all your vendor contracts.
You meet with what I've called the data. Stewart's the business line and ask them,
what vendors do you use? What outbound traffic are you sending?
I strongly also recommend data inventories and data mapping exercises.
Privacy consultants and firms and other software solutions can help do that for you,
but you need to have a really good understanding of where the outbound data flows exist and who is receiving information from your company.
We will get to all that in module eight, so I'll skip it for now.
Requirement number seven.
You need to also declare how and why your company uses personal information internally.
That again is consistent with the desires of the privacy advocates and why the CCP, a was passed.
Organizations have frequently and historically been cryptic about what they do with personal information. Once it arrives within the organization,
you need to be sure that if there is some sort of internal processing activity that is occurring,
I think you see a trend here
thinking you are going to get find it needs to match reality.
How businesses Share and Disclose Personal Information to Third Party.
Previously, you are required to identify the categories of personal information that you sent to third parties.
we want to know the mechanism you used to effectuate that
you need to identify the technical data link that is being leveraged by your business to send information to whatever vendor is at issue.
You don't need to buy the way. Identify the specific vendors. Notice I did not put that there.
You do need to identify the categories of third parties.
If you have multiple cloud service providers, then you need to simply right
cloud service providers.
You don't need to identify specifically AWS, Google Azure
How your business addresses the privacy concerns Related to Children.
I will discuss all things relating to Children in module five, so I'll skip it here.
Your business has an obligation to declare to the outside world the technical and organizational controls used to safeguard information.
Because no other arm within the company except information security is going to understand intimately how your network is protected.
My guidance here has always been be proud, but
be realistically humble, one declaring it.
You don't need to again need Thio specifically cite all the nice controls or anything like that.
But you do need to generally identify the steps that your company takes to secure information
last but certainly not least
contact information for someone.
If a consumer wants to follow up with their privacy concerns,
there needs to be someone that can address it.
Phone and email are required under the C c p A.
there really was no other way to get through it.
It's a fantastic way to really understand the concept that we're trying to drive home here.
that summarizes less than 4.2.
I'll see you in the next one.