Sunday, October 25, 2020

The CCPA: Understanding California’s Solution to Online Consumer Rights

by guest writer Jack Filiba

Consumers often have their rights ignored by the online platforms they interact with. Businesses frequently sell their users’ personal data, exploit collected information, and/or inadequately safeguard sensitive user records. In order to introduce some semblance of user protection to an industry that escapes borders and is largely unavoidable in our everyday lives, governments around the world have begun introducing regulation designed to protect digital consumers.

Most organizations are more unprepared than ready...

For California, this regulation arrived in the form of the California Consumer Privacy Act (CCPA). Following prior discussions in the U.S. about enacting sweeping digital privacy regulation, California became the first state to do so when the CCPA was passed in 2018.

The Act officially came into effect at the beginning of 2020, bearing some resemblance to Internet regulation enacted in the European Union two years prior. For more information about the EU’s General Data Protection Regulation (GDPR), check out our previous article on the subject.

Continuing our series this National Cybersecurity Awareness Month (NCSAM), we’re exploring how the CCPA impacts users both in California and beyond.

Both the EU’s GDPR and California’s CCPA were birthed from similar motivations; they aim to ensure that consumers are afforded fundamental digital protections. Much in the same way that you are entitled to certain rights as a consumer when you interact with businesses in the real world, regulatory interventions such as the CCPA and GDPR are designed to establish rights for your online interactions as well.

pie chart: CA support of CCPA
Californian Support of the CCPA
pie chart: CA support of expanding CCPA
Californian Support of expanding the CCPA

Average CCPA Preparedness:

Survey by IAPP
2019 findings from Godwin Simon Strategic Research showed that Californians overwhelmingly support the CCPA. 88% of respondents were found to be in favor of the act, with just 5% in opposition and 7% marked "unsure." Further, 88% said they supported expanding the state's consumer privacy rights beyond what is currently established by the CCPA.

When it comes to businesses, however, many may not be as ready to adapt to a CCPA-compliant landscape as their users. According to survey results from the IAPP last year, businesses rated their “CCPA preparedness” at 4.75 on average on a zero-to-ten scale.
“Most organizations are more unprepared than ready to implement what has been heralded as the most comprehensive privacy law in the U.S. ever.”
International Association of Privacy Professionals (IAPP)
Even if we assume the average level of CCPA preparedness has increased since businesses were surveyed last year, we are still left with the reality that users need to take it upon themselves to understand their rights in order to benefit from them. After all, you can file consumer complaints against businesses which fail to comply and otherwise make conscientious choices by understanding what the CCPA actually affords you as a consumer.

Put into broad categories, applicable businesses have to grant users in California the following rights:

1. The right to know when businesses collect information about you

The CCPA states that businesses which collect personal information must inform you either at or prior to the collection of your data. They must also inform you how your data is being used and shared, as well as which categories of personal information will be used. Businesses are forbidden from collecting additional categories of personal information without first providing notice.

2. The right to know what information is being collected

This right grants you the ability to request that a business discloses the categories and specific items of personal information that it has collected about you.

3. The right to request the deletion of your personal information

The CCPA mandates that businesses which receive requests to delete your personal data must do so, as long as this information does not fall into one of the exception categories outlined in the CCPA Legislature.

4. The right to opt out

Perhaps one of the most visible rights granted by the CCPA is the one which allows users to request that businesses do not sell their personal information. Since January 1st of 2020, many websites based in both California and other jurisdictions have been equipped with a form or button which reads “Do Not Sell My Personal Information.”

This change is a direct result of the CCPA stating that you have the right to instruct businesses not to sell your personal information. Further, if a business knows that a user is under the age of 16 they cannot sell their information unless the user opts in.

5. The right to equal service and price when exercising your rights

The CCPA states that businesses cannot discriminate against you simply for exercising your rights. Businesses are also not permitted to make you waive your rights, and any such contracts are unenforceable.

You can find our privacy statements just above the post tags on every page.
If you are keeping track of both the CCPA and GDPR, it is important to note a few key differences between the two acts. While mandated by the GDPR, the CCPA does not currently state that users are allowed to rectify incorrect information stored about them. In addition, the CCPA only instructs businesses to inform you of the categories of third parties they share information with, rather than specific information about the entities themselves. However, California’s regulation does include some requirements that are absent from the GDPR. These CCPA-specific requirements include “Do Not Sell My Personal Information” buttons on applicable websites and the fact that users under the age of 16 must opt in before their data is sold.

Ultimately, while acts like the CCPA and the EU’s GDPR are restricted to their geographies in a technical sense, their impact is not. Increasingly, businesses around the world are finding it easier to comply rather than differentiate between users based on their local laws. Further, these acts are having a ripple effect among regulators around the world and igniting conversations about online consumer rights.

While the California Consumer Privacy Act is far from being a “silver bullet” that will magically make your personal information safe online, knowing about your rights arms you with the ability to recognize when businesses fail to uphold them. Further, understanding the protections entitled to you under the CCPA allows you to avoid or report businesses which are not compliant and enjoy a version of the Internet that is less insistent on ignoring your rights.

Jack Filiba is a journalist specializing in coverage of digital and financial technologies, as well as new and emerging media formats. Get in touch with him via JaFiliba[at] or follow him on Twitter.

Further Reading & Resources
Why Your Data Matters
Read the CCPA

Why We Need a Federal Data Privacy Law - and How CCPA Sets the Pace

A November 2020 Ballot Initiative Aims to Overhaul and Expand the CCPA
"If You Don't Care About Online Privacy, You Should Read This"

"Your Data Matters"

"We Need to Own Our Data as a Human Right—and Be Compensated for It"

"We Don’t Want to Sell Our Data, We Want Data Rights!"
More Privacy Resources
More from DreamClassier

Cybersecurity & Infrastructure Security Agency (US)
Yearly Password Reminder & Survey

A Correction from Last Year

Last Week, the GDPR

Sunday, October 18, 2020

How the General Data Protection Regulation (GDPR) Aims to Protect Your Personal Data

by guest writer Jack Filiba

We are in the midst of some of the largest changes to online data collection and consumer rights in the history of the Internet. One such change arrived in the form of the General Data Protection Regulation (GDPR). Enacted by the European Union, this nascent regulation impacts your digital rights and affordances — even if you live outside of the EU.

In honor of National Cybersecurity Awareness Month (NCSAM), we’ve decided to break down how this regulation impacts everyday users.

The GDPR is largely the result of growing concerns among regulators, who criticize the ways in which businesses exploit personal data belonging to their users and fail to keep sensitive information secure. To name a few motivators for such policy, look no further than recent scandals such as Facebook’s run in with Cambridge Analytica and data breaches such as the one Equifax experienced in 2017. Not only did these incidents expose sensitive information belonging to 87~ and 147~ million consumers respectively, they also exposed how vulnerable everyday users are in the contemporary digital landscape.

Only three in ten Europeans have heard of all their new data rights.

Andrus Ansip,
former VP,
EU Digital Single Market
Yet, while many recognise that the ubiquitous sale and collection of data raises ethical concerns and creates risk, the public largely remains unaware of how acts like the GDPR actually intend to safeguard their information. The EU Digital Single Market’s former vice president, Andrus Ansip, said last year that “only three in ten Europeans have heard of all their new data rights.”

Critics of the GDPR identify this lack of public awareness as one of the act’s shortcomings. After all, if consumers are unaware of their rights, businesses may experience less pressure to comply.

Despite coming into effect back in May 2018, many still incorrectly assume that the GDPR is only relevant to their online activity if they are physically located within one of the EU’s member states. On the contrary, the Internet is unfazed by borders. Companies around the world who wish to continue serving their users in the EU have had to adapt to the Union’s legislation. In turn, this fundamentally restructured how they interact with online audiences on a global level. Or, to put it in legalese:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
-GDPR Article 3 “Territorial scope”
As indicated in Article 3 of the GDPR, businesses outside of the EU have to comply in order to continue serving their EU customers. As such, this policy has had a ripple effect on consumer rights. Regardless of if you’re located in Portugal or Portland, you may still be entitled to certain online protections as a result of the GDPR. It is worth noting, however, that some U.S. states have implemented similar regulation of their own. Your rights under the California Consumer Privacy Act (CCPA) will be explored in our next article.

At its core, the GDPR aims to achieve three outlined objectives: establish rules for the processing of personal data and its movement, protect the fundamental rights of individuals, and permit the free movement of personal data within the EU. Notably, it draws upon the idea that data protection is a fundamental right.

So what does this all mean for you?

Broadly speaking, the GDPR affords you eight essential rights and protections when it comes to your personal data. As previously mentioned, recent findings showed that even in the EU, the majority of consumers are not aware of all of the new rights introduced by this regulation.

1. The “right of access by the data subject”

The right of access means that you can formally ask businesses if they are processing your personal data. If so, you can enquire about why your information is being processed, the type of data collected, who your information will be shared with, how long it will be stored (where possible), the source of the information, and a few other key pieces of information designed to inform you about how your personal information is being used.

2. The “right to rectification”

This article in the GDPR grants you the ability to rectify your personal data when it is incomplete or incorrect.

3. The “right to erasure” aka. the “right to be forgotten”

Under the GDPR, users have the right to request that businesses erase their personal information. For instance, when you decide to opt-out of a service. Yet, there are many limitations to this request. If you’d like to know more, these limitations are outlined in Article 13.

4. The “right to restriction of processing”

The GDPR further states that individuals have the right to request the restriction of their personal data. Here, businesses can still store your information but are not allowed to process it. As with the previous right, there are many limitations to your ability to restrict processing. These limitations can be found in Article 18.

5. The “right to be informed”

This phrase is used to refer to the range of information that needs to be provided to users in regards to their data. Perhaps most importantly, it mandates that businesses must inform you of how, and why, your data is being collected.

If you have come across a GDPR notice online which informs you why your information is being collected, you have seen this right in action.

6. The “right to data portability”

Where feasible, this right allows you to obtain and reuse your personal data across different services.

7. The “right to object”

Similar in many ways to your right to be forgotten, the right to object allows you to object to the processing of your personal information when certain criteria are met (as outlined in Article 12). For instance, the GDPR affords you the ability to object when your information is being processed for direct marketing purposes.

8. “Automated individual decision-making, including profiling”

Finally, the GDPR also grants you the ability to object in situations where decisions are made solely on the basis of automatic processing and/or profiling. It allows you to override important decisions made automatically in favor of manual consideration and human involvement. For instance, in cases where your specific situation is not appreciated by an automatic, non-human process.

When businesses do not comply with the mandates outlined by the GDPR, they face economic penalties. If you identify or experience a business failing to uphold your digital rights, you can lodge a complaint with the relevant Data Protection Authority of an EU member nation.

Knowing your rights will help you navigate a version of the Internet that is, at least partially, less prone to the exploitation of consumers' personal data. While the nascent realm of digital regulation still has a long way to go when it comes to safeguarding everyday users, learning about the protections offered to you by the GDPR can help you make informed choices online when it comes to the data you share and the services you interact with.

Jack Filiba is a journalist specializing in coverage of digital and financial technologies, as well as new and emerging media formats. Get in touch with him via JaFiliba[at] or follow him on Twitter.

Further Reading & Resources
Why Your Data Matters
Read the GDPR

"GDPR and the End of the Internet’s Grand Bargain"

"Europe’s Privacy Law Hasn't Shown Its Teeth, Frustrating Advocates"
"If You Don't Care About Online Privacy, You Should Read This"

"Your Data Matters"

"We Need to Own Our Data as a Human Right—and Be Compensated for It"

"We Don’t Want to Sell Our Data, We Want Data Rights!"
More Privacy Resources
More from DreamClassier

Cybersecurity & Infrastructure Security Agency (US)
Yearly Password Reminder & Survey

A Correction from Last Year

Next Week, the CCPA

Sunday, October 11, 2020

NCSAM 2020: Updating Old Claims

Last year, I made some comments about VPNs.

Most of those statements were based on old information, pre-HTTPS-Everywhere. They weren't inherently wrong, or even bad advice. They were merely out-of-date in a way that could be preceived as fearmongering.

I don't like fearmongering, and even as the themed October posts sometimes lean that way (it's hard not to, given the risks so many people take on the Internet without even knowing it), I still try to avoid it as much as I can.

I could feed you all corrected information, or I could share with you a video of someone else who actually is a computing expert explaining all the things in clearer language than I could probably manage, even with skirting the edges of plagiarism.

So yes, there are good reasons for using a VPN. Also, there actually is a relatively easy way to find a VPN provider that truly doesn't save logs: you just have to find one that has been subpoenaed and released no information, because they didn't have any to release.

So yes, there are good reasons to use a VPN, but protecting your passwords or credit card numbers isn't one of them. As for the "probably not a front for the FBI" gag, you should probably read this.


Sunday, October 4, 2020

NCSAM 2020: Is it that time of year again already?

Okay, I'll be honest. I actually wrote this last year. I had a fit of inspiration, and I wanted to commit to doing this series more frequently, more than just the three years out of nine that I've done this, celebrating National Cyber Security Awareness Month, and the easiest way to do that is just to write out all the posts ahead of time.

Technology may grow and change in ways that we don't always expect, even on the scale of days or hours, but the basics of security and human nature are pretty immutable; they change over millennia, if they even change at all. Not over the span over a single year.

But I do this because I really do believe that this is important. Instead of telling you this year that it's time again to change your passwords, this time I'm going to ask.

How often do you change your password? And I'm not just talking about any old account. I'm sure everyone reading this (including you little web-crawler bots, hi, I see you too) has plenty of minor accounts lying around that you don't really think about, and that you probably don't even use that often.

No. I'm asking about your primary email account. The one that's connected to your bank accounts, your credit cards, your best friends, and possibly even your utility bills. The one you've had since ages ago and you can't even imagine what would happen if you lost access to it.

Yes, that account.

How often do you change that password?