Data Protection: Legal Safeguards for Your Business

In today’s digital age, data is the lifeblood of most businesses. Customer information, financial records, and intellectual property – all this valuable data resides within your systems. However, with this digital wealth comes a significant responsibility: protecting it from unauthorized access, misuse, or loss. Data breaches can have devastating consequences, damaging your reputation, incurring…

View On WordPress

California Consumer Privacy Act (CCPA) FAQs

Follow my blog with Bloglovin

What is CCPA?

The California Consumer Protection Act is a law meant to give Californians enhanced rights over the use and sale of their personal information. Once a company collects your personal data, you have these rights:   - Access: you can access the data collected and ask how they will use the data.  - Deletion: to request they delete your data, unless it is vital for security purposes, legal compliance, or providing an essential service.   - Opt-out of “sales”: gives you the right to opt-out of having your data being “sold” to a third party. 

When did CCPA go into effect? 

January 1, 2020, but there was a six-month grace period on enforcement for brands up to July 1, 2020. 

Who is impacted by CCPA? 

Any brand categorized as “business,” “service provider,” or “third-party” doing business in California and sells, buys, or collects personal information from online consumers.  

How do brands and publishers know their category?  

- Business: is a for-profit entity conducting significant business in California collecting consumers’ personal information, with more than $25 million gross revenue annually; or buys, sells, shares, or receives personal information of more than 50,000 consumers, devices, or households for commercial purposes; or derives more than 50% of its annual revenue from personal information sales.  - Service Provider: are entities that process information on behalf of other businesses for profit.   - Third-Party: is neither a business nor service provider collecting consumers’ personal information. 

What additional rights will California residents get under the CCPA?  

If you are in California, you can request a business to disclose:   - Categories and specific pieces of your personal information it has collected.   - The commercial purpose for selling or collecting your personal information.   - Third-parties the business shares your personal information.   Additionally, you can request collected personal information be deleted, subject to certain exceptions. Alternatively, you can opt-out of selling your personal information.   Businesses must provide an accessible and cost-free way of exercising these rights and respond to such requests within 45 days of receipt. The timings for deleting and ‘Do-Not-Sell’ requests are hazy. 

Does it mean our company has to amend its online privacy policy?  

Yes. The bare minimum is providing a California-specific form of privacy notice incorporating substantive elements linked to disclosures as provided by the CCPA. In short, online privacy policy or any California-specific notice must include information such as:   - Description of consumers’ rights.   - The categories of personal information sold or disclosed for business purposes in the preceding 12 months.   - A description of any financial incentives for providing data.  

What are the potential penalties for violations of the CCPA?  

Each violation can attract up to $2,500 in civil penalties, while failure to make good a 30-day opportunity to cure and each intentional violation after notice may attract a $7,500 fine. 

Will this negatively impact digital advertising efforts? 

It’s more nuanced than that. Sure, businesses use this personal data collection to gauge consumers’ shopping habits. Without this data, businesses cannot offer targeted advertising, reducing their chances of engaging and converting.  Ultimately, CCPA can improve the advertising ecosystem for both the consumer and business. Brands will know which consumers are open to personalized advertising or offers while enhancing transparency and rights in using and selling consumers’ personal information. 

What can a business do/not do with a user’s personal information who has opted out of sales? 

It means the company can still use the information to complete that transaction and pay the ad commission, but not beyond that transaction. 

What are the impacts of non-compliance? 

That will depend on the severity of the infraction:   - Private enforcement: you can file a lawsuit in the event of a data breach to recover up to $750 per actual incident or damage, whichever is greater.  - Governmental enforcement: The State’s AG can file a civil case, giving businesses up to 30 days to fix non-compliance or they will be liable for up to $7,500 in fines per violation. 

What is required to fulfill the CCPA requirements? 

Brands, publishers, and advertisers will need to provide explicit notice and an opportunity to opt-out to consumers before collecting and sharing consumer data. 

What is required for publishers to fulfill the CCPA requirements? 

Publishers must disclose privacy rights through a link on their site. Alternatively, businesses can block traffic via the IP addresses of Californians.  Publishers should implement a Consent Management Platform that collects and passes consumer’ opt-out requests and consent information to partners.  Publishers can include a ‘Your Privacy Rights’ link, leading users to a page disclosing what personal information the company may collect. 

The effect of the CCPA on brands based outside the US? 

Any brand that buys, sells, receives, or shares personal information of at least fifty thousand California residents annually, must comply with CCPA regardless of location.  

Is there a chance of this privacy policy advancing to a federal level?  

Many states and other countries worldwide have adopted similar privacy regulations, so there is a good chance it could go federal.  Read the full article

Google Ads intros ‘restricted data processing’ capability for CCPA compliance

Google will offer restricted data processing to enable businesses to comply with the California Consumer Privacy Act (CCPA), the company announced Wednesday. With restricted data processing enabled, Google will act as an affected business’ (advertiser, publisher or partner) data processing service provider. Here we’ll look at what this means for advertisers.

Restricted data processing, Google explained, will “restrict how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.”

What is the CCPA? Similar to the EU’s General Data Regulation Protection (GDPR), the CCPA provides several data privacy protections for California state residents. It is set to go into effect on January 1, 2020. Affected businesses must give California residents the ability to opt-out of the sale of their personal data on their website homepages. CCPA applies to businesses that, in part, meet one of the following criteria: Have annual gross revenue of at least $25 million; buy, receive or sell personal data of at least 50,000 consumers, households or devices; derive at least 50% of their annual revenues from selling personal data.

How restricted data processing works. With restricted data processing applied, features such as adding users to remarketing lists, similar audience seed lists will not be available. Google notes that for App campaigns this means users who download an app from an ad will continue to see ads for the app.

Conversion tracking and measurement will still work with restricted data processing as will services including ad delivery, reporting, measurement, security and fraud detection, debugging and product improvement information.

Third-party ad tracking or serving will not be affected when restricted data processing is enabled. The ads will continue to serve on the Google Display Network and other networks “unless disabled by a publisher.” Google will not respond to bid requests for cross-exchange display remarketing ads when a publisher sends an opt-out signal.

It may be implemented to apply to all users in California or on a per-user basis when users click on a “Do Not Sell My Information” link, for example.

How advertisers can enable it. Customer Match and Store Sales direct upload already operate using restricted data processing, and users don’t need to take action.

In Google Ads, setting the allow_ad_personlization_signals parameter will set the value to false and enable restricted data processing. You only need to set it once to apply it across all products configured through your global site tag (gtag). You can find more details on this help page.

For App campaigns using the Firebase SDK, disable personalized advertising features as explained here.

Google Analytics will act as a service provider for affected businesses that when they have disabled sharing with Google products and services per an addendum to its Data Processing Terms. When data sharing is disabled in Google Analytics, it will only use data collected on behalf of the customer in Google Analytics to provide Google Analytics services. That data will not be able to be used for remarketing lists, for example.

Responsibilities. Advertisers, publishers and partners working with Google are responsible for ensuring they’re using its products in compliance with CCPA, the company says. Partners “must decide for themselves when and how to enable” restricted data processing.

Restricted data processing, Google states, does not apply to “the sending or disclosure of data to third parties” that advertisers, publishers or partners work with.

Additionally, if you share data between Google products, the data will be subject to the terms of the recipient product.

Why we should care. If your business falls under CCPA, you’ll want to be sure you’re adhering to the regulations across your digital marketing efforts. Given the size of California’s population, this regulation will have an impact on the ability of those businesses to retarget and build lookalike audiences based on site visitors and customers on a potentially sizable percentage of their potential audience (California represents 12% of the U.S. population).

This story first appeared on our sister site MarTech Today.

The post Google Ads intros ‘restricted data processing’ capability for CCPA compliance appeared first on Search Engine Land.

Google Ads intros ‘restricted data processing’ capability for CCPA compliance published first on https://likesandfollowersclub.weebly.com/

Google Ads intros ‘restricted data processing’ capability for CCPA compliance

Google will offer restricted data processing to enable businesses to comply with the California Consumer Privacy Act (CCPA), the company announced Wednesday. With restricted data processing enabled, Google will act as an affected business’ (advertiser, publisher or partner) data processing service provider. Here we’ll look at what this means for advertisers.

Restricted data processing, Google explained, will “restrict how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.”

What is the CCPA? Similar to the EU’s General Data Regulation Protection (GDPR), the CCPA provides several data privacy protections for California state residents. It is set to go into effect on January 1, 2020. Affected businesses must give California residents the ability to opt-out of the sale of their personal data on their website homepages. CCPA applies to businesses that, in part, meet one of the following criteria: Have annual gross revenue of at least $25 million; buy, receive or sell personal data of at least 50,000 consumers, households or devices; derive at least 50% of their annual revenues from selling personal data.

How restricted data processing works. With restricted data processing applied, features such as adding users to remarketing lists, similar audience seed lists will not be available. Google notes that for App campaigns this means users who download an app from an ad will continue to see ads for the app.

Conversion tracking and measurement will still work with restricted data processing as will services including ad delivery, reporting, measurement, security and fraud detection, debugging and product improvement information.

Third-party ad tracking or serving will not be affected when restricted data processing is enabled. The ads will continue to serve on the Google Display Network and other networks “unless disabled by a publisher.” Google will not respond to bid requests for cross-exchange display remarketing ads when a publisher sends an opt-out signal.

It may be implemented to apply to all users in California or on a per-user basis when users click on a “Do Not Sell My Information” link, for example.

How advertisers can enable it. Customer Match and Store Sales direct upload already operate using restricted data processing, and users don’t need to take action.

In Google Ads, setting the allow_ad_personlization_signals parameter will set the value to false and enable restricted data processing. You only need to set it once to apply it across all products configured through your global site tag (gtag). You can find more details on this help page.

For App campaigns using the Firebase SDK, disable personalized advertising features as explained here.

Google Analytics will act as a service provider for affected businesse that when they have disabled sharing with Google products and services per an addendum to its Data Processing Terms. For users subject to CCPA, Google Analytics . When data sharing is disabled, it will only use data collected on behalf of the customer in Google Analytics to provide Google Analytics services. That data will not be able to be used for remarketing lists, for example.

Responsibilities. Advertisers, publishers and partners working with Google are responsible for ensuring they’re using its products in compliance with CCPA, the company says. Partners “must decide for themselves when and how to enable” restricted data processing.

Restricted data processing, Google states, does not apply to “the sending or disclosure of data to third parties” that advertisers, publishers or partners work with.

Additionally, if you share data between Google products, the data will be subject to the terms of the recipient product.

Why we should care. If your business falls under CCPA, you’ll want to be sure you’re adhering to the regulations across your digital marketing efforts. Given the size of California’s population, this regulation will have an impact on the ability of those businesses to retarget and build lookalike audiences based on site visitors and customers on a potentially sizable percentage of their potential audience (California represents 12% of the U.S. population).

This story first appeared on our sister site MarTech Today.

The post Google Ads intros ‘restricted data processing’ capability for CCPA compliance appeared first on Search Engine Land.

Google Ads intros ‘restricted data processing’ capability for CCPA compliance published first on https://likesfollowersclub.tumblr.com/

New Post has been published on https://simplemlmsponsoring.com/attraction-marketing-formula/email-marketing/ccpa-how-to-get-ready-for-the-california-consumer-privacy-act/

CCPA: How to Get Ready for the California Consumer Privacy Act

Last year, GDPR made us all revise our data protection compliancy. But, there are new data protection regulations coming on January 1, 2020. The California Consumer Privacy Act will come into effect to protect Californian residents’ personal information. Here’s what you need to know to get ready and why it is important to be CCPA compliant even if your business isn’t based in the US.

What is the CCPA?

CCPA stands for the California Consumer Privacy Act, said to be the United States’ most stringent privacy law.

California will become the first state to roll out such expansive data protection regulation, when it comes into effect on January 1, 2020.

Since GDPR (General Data Protection Regulation) – which marked the biggest change to EU data protection law in 20 years – we’re seeing a global shift to better personal data protection.

In fact, the CCPA shares similar principles to GDPR – especially when it comes to extensive rights for individuals, and extraterritorial scope.

Let’s look at what the CCPA is all about, how it might affect your business, and how you can get ready.

Who does the CCPA protect?

It regulates the way your business handles Californian residents’ personal information – regardless of your relationship with them.

Will the CCPA affect me?

You’ll need to comply if your business makes over $25 million revenue a year, processes (buys, sells, receives or shares) 50,000 or more Californian consumer records each year, or gets 50% of its annual revenue from selling Californians’ personal information – even if your business is based outside the state.

The bill also applies if you share common branding (like your name, service mark, or trademark) with a business that meets these criteria.

Why should I comply?

Being transparent about the way you process customers’ data – and handling it properly – helps build trust and cooperation.

And as privacy laws continue evolving, people are more aware than ever of their rights. So you need to take care of data protection across your business activities.

Since GDPR, we’re already familiar with this at GetResponse – and data protection is at the core of our business.

There are severe penalties if you don’t comply with the CCPA. Aside from lost customer trust, you could face a maximum fine of $750 per consumer or violation. That means that if you collect data from 1,000 California residents, you could be fined $750,000.

Also, if you don’t meet certain data security requirements, consumers can demand that you fix it within 30 days, or risk legal action.

How should I comply? Being transparent

Consumers have the right to know what personal information you process – and how you do it. It’s a good idea to review your information notices and privacy policies, and make sure they mention:

Types of personal data your business collected, sold, or disclosed within the last 12 months. How and why you use personal data. Who you share personal data with.

Your privacy policy should be easy to access on your website, and you should review it every year to keep it up to date.

How service providers process your Customers’ data

Do you engage third-party service providers to process customers’ personal information? Then you need to:

Evaluate your chosen processor. Set up a data processing agreement. Forward them any requests to delete data.

If you upload your contact list to GetResponse, we become the data processor. And we’ll help you comply with these obligations.

We already have Data Processing Agreements (DPAs) to meet your GDPR requirements. And you will be able to download a copy of our DPA for CCPA compliance in your account settings, via the DPA tab.

You will also be able to generate a downloadable personalized contract with us.

Your customers’ rights

Just like GDPR, CCPA focuses on the rights of individuals.

For instance, customers can ask you for their personal data – as well as why, where and with whom it was collected, sold or shared. You have 45 days to respond to the request, and you must provide information about how the data was handled within the year preceding the request.

We’ve made it easy for you to comply, with these options in your GetResponse account:

Your contacts can view and update their data in your GetResponse account. They simply click the “Change contact details” link that’s automatically included in your message footer.

You can also update your contact’s data upon their request. Just go to the Contacts section of your account, search and click on their name, and edit the custom fields. You just can’t change their email address and opt-in proof.

You can export a contact’s details at any time, and send it to them as a CSV, XLS or XML file.

Deleting the data

If a customer asks you to delete their data, you must remove everything you’ve collected – and ask your service providers to do the same, except you have other legal grounds to process the data.

To comply, look for these options in your GetResponse account:

1. Your contacts can unsubscribe from your list via the link we automatically add to your message footer. See how can a contact unsubscribe from my list and updating footer links.

2. You can also remove contacts from your list or entire account if they ask you to. Here’s how:

3. Our customer support team can also remove them for you.

Remember to ask any other data processors (such as third-party services) to erase their data – or do it yourself.

Opting out of selling the data

Customers can also prevent you from selling their personal information. To make it easy for them, add a clear and visible “Do not sell my personal information” link on your homepage.

You can also use GDPR fields: simply create it as a ‘consent’ that subscribers can manage.

If your customers are 16 years or younger, you’ll need their express consent to sell their data.

Being free from discrimination

You can’t charge different prices, offer different services or deny them to people who exercise their rights under the CCPA.

In some cases, and under certain circumstances, you can offer financial incentives to collect, sell, or not delete their personal information.

How can I get prepared for CCPA?

Here’s a handy guide to help you get ready:

1. How do you process personal information?

Check:

When and how you collect it. Where, for how long, and what systems you use to store it. Who you share it with.

Review this across your organization, including your human resources or customer service teams.

2. How will you comply?

Check if your systems make it easy to follow the rules for data deletion, access, portability, and opting out.

You could:

Set up a toll-free number and email address for customer requests (like ours: [email protected]). Elect a person or team to deal with requests within 45 days (like our Data Protection Officer). Set up processes to handle opt-out requests. Review your online privacy policies. Train your customer-facing staff on privacy practices. We have customers outside California. What should we do?

Should you extend the CCPA privacy rights to customers living outside California – or have separate privacy policies and ways to handle personal data?

That’s up to you. To help you decide, consider this:

Can you easily distinguish between information on Californian residents and those in other states? How will it impact your customer relations if you tell non-Californian customers they don’t have the same rights as Californians? If you voluntarily make CCPA compliant statements to consumers across the US – will you be able to live up to those statements? Are other states likely to follow California’s move with their own privacy obligations? What’s next?

Looking ahead, California’s Attorney General might announce rules on how to implement the regulations.

For instance, he could clarify what information you need to add to your customer notices. Or prescribe a standardized “Do Not Sell My Personal Information” logo. He might also outline how to respond to customer requests, or add new categories for personal information and identifiers – to respond to changes in technology, data collection, obstacles implementing the rules, and privacy concerns.

This will all happen by July 1, 2020. So stay tuned! We’ll keep you in the loop.

Related posts Our GDPR Plan: Everything You Need to Know [UPDATED] Top Questions about GDPR in Email Marketing

The post CCPA: How to Get Ready for the California Consumer Privacy Act appeared first on GetResponse Blog – Online Marketing Tips.

Read more: blog.getresponse.com

What is the CCPA and Could It Threaten Your Small Businesses?

Protecting personal information of clients should be tops on your radar, and it’s growing increasingly complex. The recent enacting of the California Consumer Privacy Act (CCPA) may not directly affect your small business, but you need to know about it. It is definitely a sign of things to come regarding data protection.

What is the CCPA?

The CCPA is a regulation aimed at protecting the personal information of California residents, giving those residents more control over their data. You might think it has nothing to do with your small business. After all, you don’t operate in California, right?

The CCPA has jurisdiction not only over businesses operating in California, but also over all businesses that process the personal information of California residents. In order for the CCPA regulation to apply, the business must have annual gross revenue of more than $25 million.

So, you’re thinking, the CCPA doesn’t apply to my small business. I don’t operate in California or have customers in California. Even if I did, my business revenue isn’t anywhere close to $25 million.

But you do need to pay attention to CCPA, because it’s a sign of things to come. It was the first regulation of its kind in the United States, and other states have either enacted their own regulations or have legislation in the works.  You need to be sure that you have data protection software in place.

A Data Privacy Regulation Example from New York

In March 2020 New York launched the SHIELD (Stop Hacks and Improve Electronic Data Security), which requires businesses to have safeguards in place to protect an individual’s private information.

As with the CCPA, the SHIELD Act works both ways. It doesn’t only apply to a business operating in New York. Any business that maintains the private information of New York residents is included.

The private information includes information such as credit or debit card number, bank account number, user’ names and email addresses, for example. The SHIELD Act requires businesses who have private information about New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.”

Penalties for noncompliance, and breaches, can be high. For example, in the CCPA legislation, businesses which don’t comply with the CCPA can be fined from $2,500 to $7,500. California residents who are victims of a breach can sue the company.

The SHIELD Act is enforced by the state’s Attorney General. The maximum penalty is $250,000.

How Can Your Business Be Compliant with Data Protection Legislation?

Your first step is to take stock of how much personal information from customers you store on your computer or computers. Analyze how the data is stored and how it is protected.

Next, research data protection regulations in your home state. Is your small business in line with the requirements? Do you have the right software to keep your business in compliance with data protection regulations? Where are areas that need improvement?

Remember that if a breach happens, you’ll have to be able to prove that you were compliant with regulations. You may be asked to generate reports about your compliance efforts to prove that you weren’t liable.

Ideas for Outsourcing Data Protection

A number of companies specialize in information technology, network security and SaaS (software as a service). Those companies are already familiar with standard ways to secure data. They know how to maintain and provide the documentation that backs up those security efforts.

Let’s take a look at one of them.

Electric AI Works with Small Businesses

According to Alex Foley, CISO at Electric AI (Artificial Intelligence), the company works with businesses to develop and standardize the documentation processes involved with compliance reporting. The company focus is on startups and small businesses, helping them ensure they are compliant with all present and future legislation.

“Our typical customer has from 25 to 300 employees,” Foley said. “Customer industries include, but are not limited to, financial services, tech, consumer, advertising/marketing, HR, and health / wellness.”

Electric AI works with a range of businesses. They include those with no IT solution in place. But they also include those with an internal IT or an outsourced IT provider.

Common Data Protection Deficiencies in Small Businesses

“Many companies have unsupported and unpatched firewalls,” Foley said. “This lack of support and critical security patching could lead to a compromise of the firewall and the network behind it.”

Many companies possess ports and services open to the Internet. As a result, this leads to a compromise of the firewalls themselves or devices and services behind them. The Electric AI team offers an operational and security review of all new customers. For example, the review ensures devices get support from the manufacturer, have current patching and have a minimum of ports open to the Internet.

More than half of all customer workstations onboarded by Electric AI lack basic security controls. For example, basic security controls include automated security patching, full disk encryption, automated screen lock and firewall enabled.

What Does Electric IA Do?

Electric AI seeks to alleviate problems. As a result, the company performs a comprehensive network review and remediation as part of onboarding. For example, with workstations Electric AI works to implement a default set of policies. As a result, they improve the security posture of customer workstations.

Does Your Small Business Need Better Data Protection?

“We cannot officially tell stories, but we have seen more than a few situations where we have onboarded customers which had critical security vulnerabilities in their equipment,” Foley said. “Our reviews and remediation efforts dramatically improve these customers security posture in short order.”

With Electric AI, customers see information about their security. They also see their operational posture though the Electric Turbine Dashboard. For more information, email is [email protected] and phone is 646-779-1607.

Image: Depositphotos.com

This article, “What is the CCPA and Could It Threaten Your Small Businesses?” was first published on Small Business Trends

https://smallbiztrends.com/

The post What is the CCPA and Could It Threaten Your Small Businesses? appeared first on Unix Commerce.

from WordPress https://ift.tt/2ykgMEY via IFTTT

What is the CCPA and Could It Threaten Your Small Businesses?

Protecting personal information of clients should be tops on your radar, and it’s growing increasingly complex. The recent enacting of the California Consumer Privacy Act (CCPA) may not directly affect your small business, but you need to know about it. It is definitely a sign of things to come regarding data protection.

What is the CCPA?

The CCPA is a regulation aimed at protecting the personal information of California residents, giving those residents more control over their data. You might think it has nothing to do with your small business. After all, you don’t operate in California, right?

The CCPA has jurisdiction not only over businesses operating in California, but also over all businesses that process the personal information of California residents. In order for the CCPA regulation to apply, the business must have annual gross revenue of more than $25 million.

So, you’re thinking, the CCPA doesn’t apply to my small business. I don’t operate in California or have customers in California. Even if I did, my business revenue isn’t anywhere close to $25 million.

But you do need to pay attention to CCPA, because it’s a sign of things to come. It was the first regulation of its kind in the United States, and other states have either enacted their own regulations or have legislation in the works.  You need to be sure that you have data protection software in place.

A Data Privacy Regulation Example from New York

In March 2020 New York launched the SHIELD (Stop Hacks and Improve Electronic Data Security), which requires businesses to have safeguards in place to protect an individual’s private information.

As with the CCPA, the SHIELD Act works both ways. It doesn’t only apply to a business operating in New York. Any business that maintains the private information of New York residents is included.

The private information includes information such as credit or debit card number, bank account number, user’ names and email addresses, for example. The SHIELD Act requires businesses who have private information about New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.”

Penalties for noncompliance, and breaches, can be high. For example, in the CCPA legislation, businesses which don’t comply with the CCPA can be fined from $2,500 to $7,500. California residents who are victims of a breach can sue the company.

The SHIELD Act is enforced by the state’s Attorney General. The maximum penalty is $250,000.

How Can Your Business Be Compliant with Data Protection Legislation?

Your first step is to take stock of how much personal information from customers you store on your computer or computers. Analyze how the data is stored and how it is protected.

Next, research data protection regulations in your home state. Is your small business in line with the requirements? Do you have the right software to keep your business in compliance with data protection regulations? Where are areas that need improvement?

Remember that if a breach happens, you’ll have to be able to prove that you were compliant with regulations. You may be asked to generate reports about your compliance efforts to prove that you weren’t liable.

Ideas for Outsourcing Data Protection

A number of companies specialize in information technology, network security and SaaS (software as a service). Those companies are already familiar with standard ways to secure data. They know how to maintain and provide the documentation that backs up those security efforts.

Let’s take a look at one of them.

Electric AI Works with Small Businesses

According to Alex Foley, CISO at Electric AI (Artificial Intelligence), the company works with businesses to develop and standardize the documentation processes involved with compliance reporting. The company focus is on startups and small businesses, helping them ensure they are compliant with all present and future legislation.

“Our typical customer has from 25 to 300 employees,” Foley said. “Customer industries include, but are not limited to, financial services, tech, consumer, advertising/marketing, HR, and health / wellness.”

Electric AI works with a range of businesses. They include those with no IT solution in place. But they also include those with an internal IT or an outsourced IT provider.

Common Data Protection Deficiencies in Small Businesses

“Many companies have unsupported and unpatched firewalls,” Foley said. “This lack of support and critical security patching could lead to a compromise of the firewall and the network behind it.”

Many companies possess ports and services open to the Internet. As a result, this leads to a compromise of the firewalls themselves or devices and services behind them. The Electric AI team offers an operational and security review of all new customers. For example, the review ensures devices get support from the manufacturer, have current patching and have a minimum of ports open to the Internet.

More than half of all customer workstations onboarded by Electric AI lack basic security controls. For example, basic security controls include automated security patching, full disk encryption, automated screen lock and firewall enabled.

What Does Electric IA Do?

Electric AI seeks to alleviate problems. As a result, the company performs a comprehensive network review and remediation as part of onboarding. For example, with workstations Electric AI works to implement a default set of policies. As a result, they improve the security posture of customer workstations.

Does Your Small Business Need Better Data Protection?

“We cannot officially tell stories, but we have seen more than a few situations where we have onboarded customers which had critical security vulnerabilities in their equipment,” Foley said. “Our reviews and remediation efforts dramatically improve these customers security posture in short order.”

With Electric AI, customers see information about their security. They also see their operational posture though the Electric Turbine Dashboard. For more information, email is [email protected] and phone is 646-779-1607.

Image: Depositphotos.com

This article, “What is the CCPA and Could It Threaten Your Small Businesses?” was first published on Small Business Trends

source https://smallbiztrends.com/2020/03/what-is-the-ccpa.html

from WordPress https://businessreviewguidenow.wordpress.com/2020/03/29/what-is-the-ccpa-and-could-it-threaten-your-small-businesses/ via IFTTT

Ten Questions—And Answers—About the California Consumer Privacy Act

You may have heard from a lot of businesses telling you that they’ve updated their privacy policies because of a new law called the California Consumer Privacy Act. But what’s actually changed for you?

EFF has spent the past year defending this law in the California legislature, but we realize that not everyone has been following it as closely as we have. So here are answers to ten frequently asked questions we’ve heard about the CCPA.

What is the California Consumer Privacy Act?

In a nutshell, the California Consumer Privacy Act (or CCPA) grants Californians three basic rights when it comes to their relationship with businesses: the right to know what information companies have about you, the right to delete that information, and the right to tell companies not to sell your information.

What does that actually mean for me?

Practically speaking, this means that, if you ask, a business must tell you the specific pieces of information they have about you, and the categories of companies they’ve disclosed it to and obtained it from. If you ask them to delete the information they have on you, they have to do it, subject to certain exceptions, such as specific security threats or when deletion would interfere with another consumer’s free speech. And if you ask them to stop selling your information, they have to listen. If they don’t comply with these requests, they can be fined by the California Attorney General.

Companies also generally cannot discriminate against you for exercising your rights. They’re not allowed to charge you more money or give you a worse version of their service if you choose a more private option.

How much does the CCPA do for my privacy?

The CCPA is an important first step towards a comprehensive consumer data privacy law. We have little visibility into what information companies collect and how they pass it to other companies, but they use this information in ways that concretely affect our lives. Profiles based on digital surveillance of our lives are used to set insurance rates, make mortgage decisions, or even give companies we don’t know insight into our everyday movements. The CCPA lets us shine much-needed light into that system. And crucially, opting out of the sale of data, or deleting it, gives people some control over how their information is passed to other companies.

The CCPA alone is not going to fix everything that’s wrong with how companies abuse our privacy. But it’s an important start.

What kind of information does this cover? Is it everything from every business?

Companies collect a lot of information about us that isn’t already available to the general public and reveals a lot about us, including where we go, who we associate with, and what our interests are. The CCPA makes sure that everyone can have more control over any information that companies have about them that could be reasonably used to identify them.

But not every business is covered by the law. The CCPA doesn’t apply to smaller companies that aren’t in the business of making money off your personal information. A company isn’t covered if it generates less than $25 million per year in revenue, collects information on less than 50,000 consumers each year, or derives less than 50 percent of its annual revenue from data.

How are companies supposed to be allowing me to make requests?

To comply with the law, companies are required to offer their customers two ways to contact a business to make requests. Businesses have to point to where people can make those requests in their privacy policy or on their website. Once a company receives a request, and verifies it, they have to respond in 45 days—though they can get an extension if they need one. They also can’t charge you for a reasonable request, and generally have to give you the information in a format that your computer could actually read.

What does that look like in practice?

This is where we get to all of those emails. Companies are putting this information in their privacy policies, and sending notice about those changes to you in the form of an email. Companies that do business online should have the information on how to make your request somewhere on their website.

The CCPA applies to companies that do business offline as well as online, if they are collecting personal information. So, if a store or restaurant fits the bill, they’ll have to let you know about it with a physical notice, such as a sign.

When does this law go into effect?

The CCPA is in effect as of January 1. That means that Californians can make requests, and that companies must pay attention to them.

The California’s Attorney General’s office is working on regulations about how companies must comply with the CCPA. It will issue these regulations on July 1, after which it will begin enforcing the law.

Why haven’t you made an automated tool for making requests?

We are pushing for ways to make it easier for consumers to use existing tools, such as Do Not Track headers, that let people communicate their preferences to all online businesses with a single setting. And we’re also advocating for laws that would require companies to come to you to request consent before they start to collect your information.

I don’t live in California. Does this affect me?

The CCPA only applies to consumers who live in California. But some companies, such as Microsoft, are applying the standards set by the CCPA to all of their customers.

We’re also already seeing other states look to California’s progress as a spur to introduce legislation in their own states.

You said CCPA is an important first step. What’s next?

EFF will not stop fighting to strengthen consumer privacy across the country. That includes working with the California Attorney General’s office and legislators to continue defending it, and working to pass strong consumer privacy laws across the country.

from Deeplinks https://ift.tt/36ILTX2

Final CCPA Regulations Take Effect With Modification; Extension of Employee and Business-to-Business Exemptions Advances

Two developments in the past week will likely have a significant impact on businesses subject to the California Consumer Privacy Act (“CCPA”): the long-awaited CCPA regulations have been finalized and put into immediate effect with modifications, while at the same time it seems increasingly likely that the exemptions for employees’ and business-to-business contacts’ data will be extended beyond January 2021.

CCPA Regulations Approved With Modifications, Effective Immediately

On Friday, the California Office of Administrative Law formally approved the California Attorney General’s (“AG”) CCPA regulations.  The regulations go into effect immediately and appear largely similar to the version submitted by the AG in June after an extensive rulemaking process.  However, in addition to a number of minor grammatical and stylistic edits, there are a few noteworthy changes in the final regulations:

Deleted sections: Five provisions were deleted from the final text, although the AG has the ability to revise and resubmit these for approval in the future:

Section 999.305(a)(5) would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose. Although that provision has been removed from the final regulations, Federal Trade Commission guidance still recommends that businesses obtain consent for material retroactive changes.

Section 999.306(b)(2) would have required businesses substantially interacting with consumers offline to provide notice of the right to opt-out via an offline method.

Section 999.315(c) stated that businesses needed methods for submitting opt-out requests that were “easy for consumers to execute and . . . require minimal steps to allow the consumer to opt-out”; it also prohibited businesses from utilizing any “method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”

Section 999.326(c) would have permitted businesses to deny a request from an authorized agent if that agent did not “submit proof that they have been authorized by the consumer.” Although that provision has been struck, § 999.315(f) still states that: “A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”  Emphasis added.

The entire final article on “Severability” was removed from the regulations. The addendum to the Final Statement of Reasons (“FSOR”) explains that the section was unnecessary.

Financial incentives: The rules relating to financial incentives have been a source of confusion and debate throughout the rulemaking process. There are two noteworthy changes in the final regulations:

In the definition of “financial incentive” in § 999.301(j), the word “retention” was changed back to “deletion,” which the addendum to the FSOR states is to “align with the express words of the statute.” This particular edit was contested during the rulemaking process:  the original draft regulations used the word “deletion,” which the AG replaced with “retention” in subsequent drafts, before now reverting back to deletion.

In the section describing notice of financial incentives, § 999.307(a)(1), the phrase “related to the collection, retention, or sale of personal information,” which previously modified “financial incentive or price or service difference” was deleted from the last sentence. It now reads: “A business that does not offer a financial incentive or price or service difference is not required to provide a notice of financial incentive.”

“Do Not Sell My Personal Information”: The regulations no longer permit businesses to comply with the opt-out requirement by including a link that states more informally: “Do Not Sell My Info.”

Status of Employee and Business-to-Business Exemptions

As the AG’s regulations go into effect, it appears increasingly likely that the existing time-limited exemptions in the CCPA may be further extended.  The statutory exemptions for employees and certain data collected in the context of business-to-business transactions and communications are currently set to expire on January 1, 2021.  However, the California Privacy Rights Act (“CPRA”)—which will appear on the California ballot in November and would significantly reshape the CCPA’s requirements—automatically extends those exemptions until January 1, 2023.  The purpose of the extension is to provide businesses and lawmakers with much-needed additional time to consider whether a separate law is required to address these types of personal information.  But while the ballot initiative’s fate remains undecided, the California legislature is moving an additional contingency plan along: AB 1281, which would extend the employee and business-to-business exemptions until January 1, 2022, in the event that the ballot initiative fails.  (If the ballot initiative passes, the CPRA’s longer extension until 2023 would supersede AB 1281.)

On Thursday, the Senate Judiciary Committee considered and approved AB 1281.  The bill is expected to be referred to appropriations for a final fiscal committee vote before going to the Senate floor.  Because the committee report identifies a long list of supporters for the bill and no opposition, it seems likely to pass before the legislative session ends on August 31.  Its passage would provide additional comfort for businesses while they await the outcome of the ballot initiative.

Final CCPA Regulations Take Effect With Modification; Extension of Employee and Business-to-Business Exemptions Advances posted first on http://ronenkurzfeld.blogspot.com

Landmark law, the ‘most comprehensive’ in the US, gives Californians an arsenal of tools to protect their data online Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.Here is everything you need to know about California’s “groundbreaking” new privacy law. What is the law?The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data. When does it go into effect?The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020. What businesses does it affect?Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy. Who else does it affect?Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Peter Yared, the founder and chief executive officer of data management company InCountry.“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said. I live in California – how can I get my own data?Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.Consumers may only make a request for information twice a year, and only for a 12-month look-back period. What happens if a company doesn’t give me my data?Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general. How does the CCPA compare to other privacy laws?The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.GDPR’s scope is broader, affecting all businesses that handle user data, whereas the CCPA applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data.The CCPA provides more explicit “opt out” options for users who do not want their personal data sold. Under the CCPA, companies must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their websites. Under GDPR, by comparison, businesses do not necessarily need the individual’s consent to collect and use data.The rules also differ in their approaches to the collection of children’s data. Under GDPR, parents must provide consent for the processing of data of children under the age of 16. The CCPA requires businesses obtain consent from parents of children ages 13 and under, while kids older than 13 can provide their own consent. What’s next?Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.“We see this as a get out of jail free card,” Tsukayama said.

from Yahoo News - Latest News & Headlines https://ift.tt/39uiPnR

Landmark law, the ‘most comprehensive’ in the US, gives Californians an arsenal of tools to protect their data online Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.Here is everything you need to know about California’s “groundbreaking” new privacy law. What is the law?The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data. When does it go into effect?The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020. What businesses does it affect?Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy. Who else does it affect?Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Peter Yared, the founder and chief executive officer of data management company InCountry.“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said. I live in California – how can I get my own data?Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.Consumers may only make a request for information twice a year, and only for a 12-month look-back period. What happens if a company doesn’t give me my data?Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general. How does the CCPA compare to other privacy laws?The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.GDPR’s scope is broader, affecting all businesses that handle user data, whereas the CCPA applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data.The CCPA provides more explicit “opt out” options for users who do not want their personal data sold. Under the CCPA, companies must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their websites. Under GDPR, by comparison, businesses do not necessarily need the individual’s consent to collect and use data.The rules also differ in their approaches to the collection of children’s data. Under GDPR, parents must provide consent for the processing of data of children under the age of 16. The CCPA requires businesses obtain consent from parents of children ages 13 and under, while kids older than 13 can provide their own consent. What’s next?Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.“We see this as a get out of jail free card,” Tsukayama said.

from Yahoo News - Latest News & Headlines https://ift.tt/39uiPnR

Google Ads intros ‘restricted data processing’ capability for CCPA compliance

Google will offer restricted data processing to enable businesses to comply with the California Consumer Privacy Act (CCPA), the company announced Wednesday. With restricted data processing enabled, Google will act as an affected business’ (advertiser, publisher or partner) data processing service provider. Here we’ll look at what this means for advertisers.

Restricted data processing, Google explained, will “restrict how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.”

What is the CCPA? Similar to the EU’s General Data Regulation Protection (GDPR), the CCPA provides several data privacy protections for California state residents. It is set to go into effect on January 1, 2020. Affected businesses must give California residents the ability to opt-out of the sale of their personal data on their website homepages. CCPA applies to businesses that, in part, meet one of the following criteria: Have annual gross revenue of at least $25 million; buy, receive or sell personal data of at least 50,000 consumers, households or devices; derive at least 50% of their annual revenues from selling personal data.

How restricted data processing works. With restricted data processing applied, features such as adding users to remarketing lists, similar audience seed lists will not be available. Google notes that for App campaigns this means users who download an app from an ad will continue to see ads for the app.

Conversion tracking and measurement will still work with restricted data processing as will services including ad delivery, reporting, measurement, security and fraud detection, debugging and product improvement information.

Third-party ad tracking or serving will not be affected when restricted data processing is enabled. The ads will continue to serve on the Google Display Network and other networks “unless disabled by a publisher.” Google will not respond to bid requests for cross-exchange display remarketing ads when a publisher sends an opt-out signal.

It may be implemented to apply to all users in California or on a per-user basis when users click on a “Do Not Sell My Information” link, for example.

How advertisers can enable it. Customer Match and Store Sales direct upload already operate using restricted data processing, and users don’t need to take action.

In Google Ads, setting the allow_ad_personlization_signals parameter will set the value to false and enable restricted data processing. You only need to set it once to apply it across all products configured through your global site tag (gtag). You can find more details on this help page.

For App campaigns using the Firebase SDK, disable personalized advertising features as explained here.

Google Analytics will act as a service provider for affected businesse that when they have disabled sharing with Google products and services per an addendum to its Data Processing Terms. For users subject to CCPA, Google Analytics . When data sharing is disabled, it will only use data collected on behalf of the customer in Google Analytics to provide Google Analytics services. That data will not be able to be used for remarketing lists, for example.

Responsibilities. Advertisers, publishers and partners working with Google are responsible for ensuring they’re using its products in compliance with CCPA, the company says. Partners “must decide for themselves when and how to enable” restricted data processing.

Restricted data processing, Google states, does not apply to “the sending or disclosure of data to third parties” that advertisers, publishers or partners work with.

Additionally, if you share data between Google products, the data will be subject to the terms of the recipient product.

Why we should care. If your business falls under CCPA, you’ll want to be sure you’re adhering to the regulations across your digital marketing efforts. Given the size of California’s population, this regulation will have an impact on the ability of those businesses to retarget and build lookalike audiences based on site visitors and customers on a potentially sizable percentage of their potential audience (California represents 12% of the U.S. population).

This story first appeared on our sister site MarTech Today.

The post Google Ads intros ‘restricted data processing’ capability for CCPA compliance appeared first on Search Engine Land.

Google Ads intros ‘restricted data processing’ capability for CCPA compliance published first on https://likesandfollowersclub.weebly.com/

Landmark law, the ‘most comprehensive’ in the US, gives Californians an arsenal of tools to protect their data online Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.Here is everything you need to know about California’s “groundbreaking” new privacy law. What is the law?The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data. When does it go into effect?The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020. What businesses does it affect?Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy. Who else does it affect?Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Peter Yared, the founder and chief executive officer of data management company InCountry.“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said. I live in California – how can I get my own data?Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.Consumers may only make a request for information twice a year, and only for a 12-month look-back period. What happens if a company doesn’t give me my data?Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general. How does the CCPA compare to other privacy laws?The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.GDPR’s scope is broader, affecting all businesses that handle user data, whereas the CCPA applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data.The CCPA provides more explicit “opt out” options for users who do not want their personal data sold. Under the CCPA, companies must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their websites. Under GDPR, by comparison, businesses do not necessarily need the individual’s consent to collect and use data.The rules also differ in their approaches to the collection of children’s data. Under GDPR, parents must provide consent for the processing of data of children under the age of 16. The CCPA requires businesses obtain consent from parents of children ages 13 and under, while kids older than 13 can provide their own consent. What’s next?Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.“We see this as a get out of jail free card,” Tsukayama said.

from Yahoo News - Latest News & Headlines https://ift.tt/39uiPnR

Landmark law, the ‘most comprehensive’ in the US, gives Californians an arsenal of tools to protect their data online Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.Here is everything you need to know about California’s “groundbreaking” new privacy law. What is the law?The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data. When does it go into effect?The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020. What businesses does it affect?Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy. Who else does it affect?Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Peter Yared, the founder and chief executive officer of data management company InCountry.“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said. I live in California – how can I get my own data?Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.Consumers may only make a request for information twice a year, and only for a 12-month look-back period. What happens if a company doesn’t give me my data?Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general. How does the CCPA compare to other privacy laws?The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.GDPR’s scope is broader, affecting all businesses that handle user data, whereas the CCPA applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data.The CCPA provides more explicit “opt out” options for users who do not want their personal data sold. Under the CCPA, companies must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their websites. Under GDPR, by comparison, businesses do not necessarily need the individual’s consent to collect and use data.The rules also differ in their approaches to the collection of children’s data. Under GDPR, parents must provide consent for the processing of data of children under the age of 16. The CCPA requires businesses obtain consent from parents of children ages 13 and under, while kids older than 13 can provide their own consent. What’s next?Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.“We see this as a get out of jail free card,” Tsukayama said.

from Yahoo News - Latest News & Headlines https://ift.tt/39uiPnR

Landmark law, the ‘most comprehensive’ in the US, gives Californians an arsenal of tools to protect their data online Last year, California passed a landmark privacy law that gives consumers more control over their data. The legislation gives residents unprecedented rights to control what information companies collect on them and how it is used.The California Consumer Privacy Act will go into action 1 January 2020, giving residents of the state a whole new arsenal of tools to protect their data and personal information online – and saddling businesses with a lot more responsibility.Here is everything you need to know about California’s “groundbreaking” new privacy law. What is the law?The California Consumer Privacy Act, passed in 2018, is the “most comprehensive” privacy legislation to be enacted in the United States to date, according to the American Bar Association.Under the new regulations, California residents will be able to demand companies to disclose what information is collected on them and request a copy of that information.Companies will be forced to delete consumers’ data upon request and they’ll be prohibited from selling information if the customer instructs them to via a mandatory “do not sell” link on the company’s website.Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” or in other words, companies won’t be able to treat a user differently because they have requested their data. When does it go into effect?The law is effective on 1 January – meaning consumers can submit requests for their data starting on that date. The California attorney general’s office will not take any enforcement action against companies that do not comply until 1 July 2020. What businesses does it affect?Businesses will be required to comply with the new regulations if they have an annual gross revenue in excess of $25m, derive 50% or more of their annual revenue from selling consumers’ personal information, or annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.That means at least 500,000 businesses will be required to comply with the new law, according to the not-for-profit the International Association of Privacy. Who else does it affect?Consumers in California will be most directly affected by the new law. However, even people who not live in California may see ripple effects, said Peter Yared, the founder and chief executive officer of data management company InCountry.“There are similar laws manifesting all over the world so increasingly companies are set up to receive and process these kinds of requests for data,” he said. I live in California – how can I get my own data?Consumers can receive a copy of their data by sending “a verifiable consumer request” to a business. The company is then required to comply with the request within 45 days of receipt. In some cases, companies can extend this time period for a maximum of 90 days total.Consumers may only make a request for information twice a year, and only for a 12-month look-back period. What happens if a company doesn’t give me my data?Companies may face fines of $2,500 to $7,500 per violation of the new law, if the violation is deemed intentional. However, the CCPA also grants businesses a 30-day period to address a violation after receipt of a consumer’s request. The law is enforced by the California attorney general. How does the CCPA compare to other privacy laws?The California Consumer Privacy Act has often been called “GDPR-lite”, bearing resemblance to the EU’s General Data Protection Regulation, which went into effect in May 2018.GDPR’s scope is broader, affecting all businesses that handle user data, whereas the CCPA applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or whose revenue is 50% or more based on user data.The CCPA provides more explicit “opt out” options for users who do not want their personal data sold. Under the CCPA, companies must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on their websites. Under GDPR, by comparison, businesses do not necessarily need the individual’s consent to collect and use data.The rules also differ in their approaches to the collection of children’s data. Under GDPR, parents must provide consent for the processing of data of children under the age of 16. The CCPA requires businesses obtain consent from parents of children ages 13 and under, while kids older than 13 can provide their own consent. What’s next?Although the CCPA is the most extensive privacy law yet to be passed in the US, some advocates say it does not go far enough. Before the comment period on the law closed on 6 December, the Electronic Frontier Foundation, a not-for-profit organization, and other privacy advocates filed a request to strengthen the regulation.The law as it is written does not do enough to address data collection, said Hayley Tsukayama, an EFF legal advocate, and California has few resources to enforce the law in 2020.“You have the right to go to companies that have your data and ask to have it back, but they don’t have to come to you to ask to have it in the first place”, she said. “This is what we call opt in versus opt out.”Companies that violate the law will also have the “right to cure”, meaning they can change their violating policies after they have been apprehended.“We see this as a get out of jail free card,” Tsukayama said.

from Yahoo News - Latest News & Headlines https://ift.tt/39uiPnR

What is the CCPA and Could It Threaten Your Small Businesses?

Protecting personal information of clients should be tops on your radar, and it’s growing increasingly complex. The recent enacting of the California Consumer Privacy Act (CCPA) may not directly affect your small business, but you need to know about it. It is definitely a sign of things to come regarding data protection.

What is the CCPA?

The CCPA is a regulation aimed at protecting the personal information of California residents, giving those residents more control over their data. You might think it has nothing to do with your small business. After all, you don’t operate in California, right?

The CCPA has jurisdiction not only over businesses operating in California, but also over all businesses that process the personal information of California residents. In order for the CCPA regulation to apply, the business must have annual gross revenue of more than $25 million.

So, you’re thinking, the CCPA doesn’t apply to my small business. I don’t operate in California or have customers in California. Even if I did, my business revenue isn’t anywhere close to $25 million.

But you do need to pay attention to CCPA, because it’s a sign of things to come. It was the first regulation of its kind in the United States, and other states have either enacted their own regulations or have legislation in the works.  You need to be sure that you have data protection software in place.

A Data Privacy Regulation Example from New York

In March 2020 New York launched the SHIELD (Stop Hacks and Improve Electronic Data Security), which requires businesses to have safeguards in place to protect an individual’s private information.

As with the CCPA, the SHIELD Act works both ways. It doesn’t only apply to a business operating in New York. Any business that maintains the private information of New York residents is included.

The private information includes information such as credit or debit card number, bank account number, user’ names and email addresses, for example. The SHIELD Act requires businesses who have private information about New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.”

Penalties for noncompliance, and breaches, can be high. For example, in the CCPA legislation, businesses which don’t comply with the CCPA can be fined from $2,500 to $7,500. California residents who are victims of a breach can sue the company.

The SHIELD Act is enforced by the state’s Attorney General. The maximum penalty is $250,000.

How Can Your Business Be Compliant with Data Protection Legislation?

Your first step is to take stock of how much personal information from customers you store on your computer or computers. Analyze how the data is stored and how it is protected.

Next, research data protection regulations in your home state. Is your small business in line with the requirements? Do you have the right software to keep your business in compliance with data protection regulations? Where are areas that need improvement?

Remember that if a breach happens, you’ll have to be able to prove that you were compliant with regulations. You may be asked to generate reports about your compliance efforts to prove that you weren’t liable.

Ideas for Outsourcing Data Protection

A number of companies specialize in information technology, network security and SaaS (software as a service). Those companies are already familiar with standard ways to secure data. They know how to maintain and provide the documentation that backs up those security efforts.

Let’s take a look at one of them.

Electric AI Works with Small Businesses

According to Alex Foley, CISO at Electric AI (Artificial Intelligence), the company works with businesses to develop and standardize the documentation processes involved with compliance reporting. The company focus is on startups and small businesses, helping them ensure they are compliant with all present and future legislation.

“Our typical customer has from 25 to 300 employees,” Foley said. “Customer industries include, but are not limited to, financial services, tech, consumer, advertising/marketing, HR, and health / wellness.”

Electric AI works with a range of businesses. They include those with no IT solution in place. But they also include those with an internal IT or an outsourced IT provider.

Common Data Protection Deficiencies in Small Businesses

“Many companies have unsupported and unpatched firewalls,” Foley said. “This lack of support and critical security patching could lead to a compromise of the firewall and the network behind it.”

Many companies possess ports and services open to the Internet. As a result, this leads to a compromise of the firewalls themselves or devices and services behind them. The Electric AI team offers an operational and security review of all new customers. For example, the review ensures devices get support from the manufacturer, have current patching and have a minimum of ports open to the Internet.

More than half of all customer workstations onboarded by Electric AI lack basic security controls. For example, basic security controls include automated security patching, full disk encryption, automated screen lock and firewall enabled.

What Does Electric IA Do?

Electric AI seeks to alleviate problems. As a result, the company performs a comprehensive network review and remediation as part of onboarding. For example, with workstations Electric AI works to implement a default set of policies. As a result, they improve the security posture of customer workstations.

Does Your Small Business Need Better Data Protection?

“We cannot officially tell stories, but we have seen more than a few situations where we have onboarded customers which had critical security vulnerabilities in their equipment,” Foley said. “Our reviews and remediation efforts dramatically improve these customers security posture in short order.”

With Electric AI, customers see information about their security. They also see their operational posture though the Electric Turbine Dashboard. For more information, email is [email protected] and phone is 646-779-1607.

Image: Depositphotos.com

This article, “What is the CCPA and Could It Threaten Your Small Businesses?” was first published on Small Business Trends

https://smallbiztrends.com/

The post What is the CCPA and Could It Threaten Your Small Businesses? appeared first on Unix Commerce.

from WordPress https://ift.tt/2ykgMEY via IFTTT