California Consumer Privacy Act of 2018

This is my review, and findings, of the AB 375 that will go into affect this January - also called The California Consumer Privacy Act of 2018.

I am not an attorney - and I do not have the right to practice law in California, or anywhere in The United States of America. This is being provided as information for information security - and how I have read the bill in its' entirety.

You can read the law here:

::https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375::

California Consumer Privacy Act

Assembly Bill 375

Created 06/29/2018 (04:00 Pacific)

Title 1.81.5 commencing with Section 1798.100 to part 4 of Division 3 of the Civil Code.

Title of the measure will be know/cited as "The California Consumer Privacy Act of 2018" (CCPA)

Foreword: In 1972 the residents of California voted to amend the California Constitution to include the right of privacy among the "inalienable" rights of all people.

The CCPA is intended to provide/produce the following:

1. The right of Californians to know what personal information is being collected about them
2. The right of Californians to know whether their personal information is sold, or disclosed, and to whom.
3. The right of Californians to say no to the sale of personal information.
4. The right of Californians to access their personal information.
5. The right of Californians to equal service and price, EVEN if they exercise their privacy rights.

Along with the above items - this law also states how to handle breach/leaks of information about Californians, regardless of whether your company is IN California or not - simply handling Californians personal information.

Californian is defined as any resident of the state of California. Basically, if you live in California... you are a resident.

Another aspect of the CCPA2018 is defining what personal identifying, and re-identifying, information is.

These identifiable factors include the basics we all know today:

• Date of Birth
• Social Security Number
• Name
• Address
• Drivers License, Military or Passport Idnetification Number
• Finger Prints

...This law goes even further to identify even more factors such as Blood Vessel/Vein Patterns and DNA.

The law also requires businesses to maintain communication forms related specifically to this law, for all general public to contact through. This would be at minimum a toll free telephone number and a website address for businesses that maintain a website.

There are also time constraints set that a business must comply with any request free of charge:

45 days is the allotted time frame in which to deliver information requested by Californians - with the allowance to extend this once for an additional 45 days when reasonably necessary.

Standard online privacy policies to include updating at minimum once every 12 months and denoting specifically any privacy/online policy for California residents, customers, businesses.

Businesses must also provide to Californians a clear and conspicuous link on their businesses home page, a link that states exactly: "Do Not Sell MY Personal Information"

Any consumer that opt's out of their personal information being sold - the business should maintain this for a period of no less than 12 months before sending a request to authorize for the sale of that Californians personal information.

Definitions provided in the CCPA2018:

Aggregate Consumer Information - an identifier that would describe a group of people/persons and not a specific individual.

Business - Sole proprietor, partnership, limited liability company (LLC), corporation, association (neighborhood, community, activity associations to name a few), or ANY other legal entity that is organized or operated for the profit, or financial gain, of it's shareholders or other owners, that collects consumers' personal information, or on the behalf of those listed above jointly or solely.

Also includes any entity that controls or is controlled by a business.

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

There is specific language of what is included in the law.

This is the definition that should be applauded:

************

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making 

available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a 

consumer’s personal information by the business to another business or a third party for monetary or other 

valuable consideration.

************

Definitions seem to be much more clear, specific and very difficult to loop-hole.

Some of the language in this bill would also cover what information could be transferred.

Let's say your information is collected, and you've opted-out, at The 345 Company. This company gets 

purchased by The XYZ Coorporation. The information opted-out information can NOT be transferred from

The 345 Company to The XYZ Corporation - even though it purchased The 345 Company.

I'm sure there would be way's for businesses to get around this - such as maintaining that company simply as it's information company until the information is no longer viable for use/sale/sharing by the purchased company.

This would mean the purchasing company provide resources, employee's and licensing (to name a few) for the purchased company. 

There is an interesting "blurb" in there that say's this does not imply if the information collected was from outside of California. IE: I visit Nevada and sign-up for something there. All the information is collected from outside of California - and thus not included in CCPA2018. 

Though here - the burden of proof might be for the company to prove it received the information wholly from outside of California - rather than for the consumer to prove the were not outside of California.

Here is the big "kicker" for information breaches and information leaks:

Any information that is released in un-encrypted or un-redacted format - from a company's' possession, if required to pay not less than $100.00 PER INCIDENT and not greater than $750.00 per consumer, per incident. (Example - Equifax's breaches were 2 separate incidents - if your information was leaked via both - Equifax would need to pay a minimum of $200.00 per person that had their information leaked. 

IF the damages equaled more than $750.00 each - then Equifax would have needed to pay $1,500.00 for each of those persons that had their information leaked twice.)

Also - if the court states that a company is to owe more - this would be on-top of the 100-750 per incident and per person.

So now you have $1,500.00 from two breaches at Equifax - and then the court say's Equifax needs to pay the victims $1,800.00. This would be on-top of the $1,500.00 - making the final total $3,300.00 per person.

Another "kicker".

If a company was made aware of a deficiency in it's privacy practices, and does not rectify it, within 30 days - that business is found in violation of the CCPA. This violation would require a full payment of $7,500.00 for each violation.

A special fund called the "Consumer Privacy Fund" will be initiated and funds collected from violations to be used for investigating, enforcing and legally pursuing CCPA violations. This is 20% of the fines collected from a company who is in violation of this CCPA2018.

This one is one I feel is the most worthless:

Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this title. These funds shall not be subject to appropriation or transfer by the Legislature for any other purpose, unless the Director of Finance determines that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this title, in which case the Legislature may appropriate excess funds for other purposes.

So, in essence, the Director of Finance has complete power of where these funds go - and can appropriate them for other use as deemed by the Legislature.

It starts off nice - but after the first sentence - you can see that basically - the funds can be used for almost anything else - leaving "The Consumer Privacy Fund" potentially bankrupt (naaa...California's government wouldn't do that!!!).

This should DEFINITELY be changed!! (reference 1798.160 (b)

Ok...moving on...

This amendment is to add to, not replace, amendments and legislature already in place in California.

This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers' personal information by a business.

This gives power of the state of California to impose this portion of the law - regardless of what other smaller governements within California - may want/try to do.

Basically - this is the minimum and the state of California can/will pursue these challenges within it's legal boundaries (physical and virtual).

Also - a business can NOT sell your information now, before the 01 January, 2020, enactment - to avoid the penalties of this law. 

This part is in 1798.190:

If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

So here is the "short-version" as interpreted by myself, Sandor Slijderink.

In no way, shape or form - am I a lawyer, attorney or person who has passed any state bar exam. I am not an attorney. I am providing information included in the AB 375 and providing opinion and my views of what I have read.

If you have legal questions regarding the California Consumer Privacy Act of 2018, please seek a qualified California lawyer/attorney.

I AM an information security professional and employed as one currently. This means that I can only speak in  regards to how Information Security professional might need to handle Californians personal information.