California Consumer Privacy Act
The number of state laws related to cybersecurity are too numerous to outline. The emerging laws tend to focus on privacy and contain many of the core principles found in the California Consumers Privacy Act (CCPA), which was implemented in January 2020.
The law allows consumers the right to find out who has access to their personal data. Consumers can stop data from being sold or transferred to third parties through an opt-out function that must be prominently posted or request that companies delete their data.
Table 2-4 outlines key concepts embedded in the CCPA and many states’ privacy laws:
TABLE 2-4 Key privacy concepts.
| CONCEPT | OBJECTIVE |
|---|---|
| Full disclosure | The idea is that an individual should know what information about them is being collected. They should be told how that information is being used. |
| Limited use of personal data | The idea is that only the data needed for the transaction should be collected. Do not collect more information than you need to provide the product or service. |
| Opt-in/opt-out | The practice of asking permission on how personal information can be used beyond its original purpose, such as a real-estate company asking permission of someone who sold their home if their information can be shared with a moving company. The difference between opting in and opting out generally refers to clicking a box on a webpage. In an opt-in process, unless the consumer clicks the “Yes” box, no additional service is offered. In an opt-out process, consumers are automatically enrolled in a service unless they click the “No” box or deselect the “Yes” box. |
| Data privacy | Expectations on how your personal information should be protected and limits place on how the data should be shared. |
| Informed consent | The idea that you are of legal age, capable, have the needed facts, and absent undue pressure can make an informed judgment. |
| Public interest | The idea is that an organization has an obligation to the general public beyond its self-interest. Although a vague term, it’s not unusual for regulators to look at the impact a company has on the industry or the economy in general. |
The CCPA was one of the first state laws to significantly expand the definition of personal information. The law recognized the increased importance and impact on an individual’s personal identity over the Internet. The CCPA’s list of data elements that constitute “personal information” includes the following:
-
Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
-
Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
-
Biometric information such as fingerprints, facial recognition files
-
Internet or other electronic network activity information, including, but not limited to browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
-
Geolocation data
-
Audio, voiceprints, electronic, visual, thermal, olfactory, or similar information
-
Professional or employment-related information
-
Education information, defined as information that is not publicly available as defined in the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g, 34 C.F.R. Part 99) which protects education records and the student’s identification including disclosure of ay part of the student’s Social Security number.
-
Inferences are drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, or the like