What is the CCPA? A Guide to California Privacy Law

What is the CCPA? A Guide to California Privacy Law

Introduction: What is the CCPA?

The California Consumer Privacy Act will come into effect on January 1, 2020. This fact may have a significant impact on your business. 

California is the crown jewel in the United States economy. If it were a standalone country, its $2.7 trillion GDP would be the fifth-largest in the world, sitting ahead of the United Kingdom. Combined with the state’s status as an incubator for tech innovation and consumer culture, California gives outsized importance for all kinds of businesses operating at local, national, and multinational levels.

The CCPA forces enterprises reaching a particular scale to contend. Other states will soon follow suit with similar legislative pieces of their own. California has long been a bellwether for US-wide tech legislation. 

This examines the CCPA piece-by-piece, analyzing business impact, with particular attention given to the consequences for Small-to-Medium Enterprise (SME) ‘s data management, systems, and practices. 

The conclusion should clarify the CCPA is nothing to fear for management and development teams. Teams that are proactive and thoughtful in adapting to CCPA prescriptions will get ahead in successfully achieving compliance. For those that don’t use the appropriate amount of care, the consequences can be severe.

Getting Started: What is the Scope of CCPA?

Reading through the CCPA is quite a different exercise to reading through the GDPR. For context, the GDPR is another major piece of consumer data protection legislation to emerge in recent times. The language of the GDPR is clear and its structure is logical. Contrastly, the grammar of the CCPA is a dense “legalese”. The structure of the Act skips from one area to another without a consistent thread. 

The CCPA is a series of builds or amendments to previously existing pieces of legislation. Compared to the GDPR, which was an attempt to craft a comprehensive data protection policy from scratch. The upshot is that it’s most sensible to analyze the CCPA under topic groupings rather than from top to bottom. The first topic is essential to consider is scope: Whom does the CCPA apply? There’s a host of ways business are subject to CCPA requirements. 

How to Determine If your Business Qualifies

Regardless of the amount of data you collect, do you have gross revenue over $25 million? Then the CCPA applies to you. However, if you’re not operating at that scale and still collect, buy, or sell the personal information of over 50,000 people, households, or devices per year, then the CCPA also applies to you. If a business doesn’t process that amount of personal information, but still earns more than half of yearly revenue (no matter what number) from selling consumers’ data, then the CCPA is applicable. Of course, your company must also have a business presence in the state of California, because that’s as far as the legislation’s power extends.

Personal Data

“Personal Data” is the second scope-related question in the CCPA. Whereas other pieces of data legislation take an umbrella-view of defining what constitutes personal data, the CCPA attempts to spell out in more explicit detail the types of information that count. The list here is extensive and worth comprehensive review, but a pivotal point to realize is that the CCPA covers information that links to households as well as individuals.

In effect, this means that certain information which would not be protected under other pieces of legislation because they can’t be associated with an individual. For example, TV viewing records or non-individual linked purchase behavior data are considered personal data under the CCPA because they are linked to a household.

Digging Deeper: What are the Intentions of the CCPA?

Once you address the question of scope, it’s possible to begin examining the intentions of the California Consumer Privacy Act and, at macro-level, the measures it takes to achieve those intentions. 

Section 2 of the Act explicitly outlines the aim of this piece of legislation – empowering citizens of California to:

  • Know what personal data is organizations are collecting about them
  • Know if/when personal information is sold or disclosed and to whom
  • Say “no” to the sale of their data
  • Access the personal data that an organization has collected about them
  • Obtain equal service and price from companies collecting personal data. 

Right away a development team or project manager tasked with architecting their SME’s data infrastructure should see that these aims if adequately supported by the legislation, carry far-reaching consequences for how businesses build their data management systems. 

The old notion of siloing company data is dead. Data is no longer an organic mass. It is information continuously added and subtracted through interaction with company employees and product consumers. Businesses will face real challenges with being and staying CCPA-compliant. They need flexibility and agility built into the architecture, including collection and storage to retrieval and analysis.

Business Obligations: CCPA’s Impact on the Data Landscape

Given the objectives stated, what are the concrete steps businesses must take to avoid running afoul of the CCPA? Here’s a list a summary of the most important:

Companies must be able to disclose to a requesting consumer the categories and specific pieces of personal information that the business has collected.

Businesses must have both a clearly-signposted Method for consumers to lodge a request for information and a streamlined system for disaggregating an individual’s data from their database. They need to deliver it in a timely fashion too. It’s worth noting that a business is obligated to provide this information up to two times in twelve months. Though it may seem self-evident, this means a system is needed to track Information Requests so that one individual doesn’t overly burden the system. 

Consider that even some businesses operating at scale don’t possess a system for request intake nor keep a single-location record of information requests. In this scenario, it’s entirely feasible that a single individual could take up far more valuable staff time than legally necessary through repeated information requests.

These are easy solves when considered upfront but can be challenging if retrofitted only when the problem becomes evident. An additional requirement of this capability is that the delivery of this data must be free and in reasonably consumable form, which means that businesses can’t charge a consumer to receive a record of their data record, and they also can’t present that data in some arcane file format that the consumer will have difficulty decoding. 

All in all, this requirement could lead to significant business impact for companies that are not already up to speed on current best practices for data management.

At or before the point of data collection, businesses are required to inform consumers of the categories of personal information they intend to collect and the purpose for using specific types of personal information.

For any SME operating on “highest common denominator” principles, this will be no surprise. After all, this is already a requirement under GDPR law. It’s reasonable to expect that as the world follows in the footsteps of the CCPA and GDPR, upfront disclosure of data collection will become a standard legal procedure. 

In practice, this can have a range of implications for a company’s customer experience on- and offline, such as:

  • A pop-up box for consent to cookies
  • An opt-in screen before a user enters the purchase funnel 
  • Changes to the purchase experience in physical store locations that are passively collecting data on in-store customer behavior

Under CCPA law, some forms of personal information are protected that can’t be tied directly to an individual. To fully understand how this CCPA requirement could change the way a company does business, an in-depth audit will often be necessary.

Lastly, businesses and marketers collecting information on consumers need to be able to wipe out that information entirely upon request.

Not only that but in many cases, the business must be able to direct related service providers who utilize this info to wipe it also. It does not matter whether the data has been sold as part of a second-party set or shared as part of a service-delivery process; the requirement stands. 

This obligation demonstrates businesses operating under CCPA jurisdiction have no choice but to end antiquated “data-silo” operations. Especially those that made ongoing alterations to a data store difficult and time-consuming. Businesses will have to ensure their partners and data clients have this same capability. They can be held liable for a partner’s failure to remove records from a database.

What are the Costs for Violating CCPA?

Of course, the CCPA couldn’t hope to be a compelling piece of privacy legislation without effective enforcement mechanisms to keep companies honest. What are the consequences for organizations that run afoul of their prescriptions? To put it straight, they can add up quickly.


A person, business, or service provider found in violation of the CCPA is subject to a court injunction. They are also liable for a civil penalty of up to $2,500 per unintentional violation and $7,500 per intentional violation. 

The critical thing to remember is that for companies dealing with large amounts of personal data, violations likely won’t number in the tens, hundreds, or even thousands of customers. A systemic violation of CCPA provisions can quickly put a six-digit multiplier on the $2,500 or $7,500 fine. 

Civil Suit

For many SME’s, this could prove a high enough number to sink them entirely. That’s not all. Apart from civil liability, consumers can bring action of up to $750 per incident. Plus, the value of personal damages. A business failing to simply notify their consumers they’re collecting web data can quickly find themselves looking down the barrel of a damaging class-action civil suit.

In essence, the CCPA is a piece of legislation that takes data protection seriously. It has the enforcement clout to make businesses take it seriously too. The bill becomes the law of the land on January 1, 2020. Companies with a footprint in California have approximately six months as of the time of writing to ensure they’re not at risk for severe financial penalties. 

First Steps: How Should Teams Prepare for the New Data Landscape?

Time to take action! What are the steps that teams should take now? Let’s examine some of the critical steps any business can take to prepare.

Conduct a Review of Existing Data Architecture.

If you’re a typical SME preparing for what lies ahead, your first step is to comprehensively review data operations. Prepare data maps, inventories, and other records to catalog. Include all points of collection, storage, retrieval, and exploitation of personal information relating to California-based consumers. Only through this exercise can a business accurately plan for the changes needed to be CCPA-compliant.

Consider more than California-only web/mobile/business models

For companies operating at a global scale, we recommend adopting a highest-common denominator approach to a full data architecture redesign. It future-proofs operations, saving time and money due to decreased need for bespoke solutions based on territory. 

For companies with a smaller footprint; however, it may be worthwhile to examine building California-specific consumer experiences. Your SME can decide on the best business option by following the previously mentioned systematic audit of current data operations.

Ensure there are available online and offline methods for submitting Data Access Requests

The CCPA requires companies to consider their relationship with consumers. The CCPA mandates a toll-free number dedicated to submitting data access requests, so businesses ensure their intake system isn’t online-only.

Provide a Clear “Do Not Sell My Personal Information” Option on web properties

It’s another non-negotiable requirement of the CCPA. California citizens or those authorized to represent them must be able to designate that their data is not for sale. A user who selects this option can’t suffer a diminished experience if they don’t want their data sold. In contrast, the GDPR does allow companies to alter their experience if customers don’t want their data monetized.

Plan New Systems That Can Perform The Following Functions

  • Verify the identity of individuals who request data access or data deletion
  • Respond to requests for data access or deletion within 45 days
  • Determine the age of a California resident. Companies must obtain parental consent for data collection for users under 13. If they don’t have a way to determine the user’s age, they can be held liable for disregarding this obligation.


If this seems like a significant amount of work, it’s because it is.

Since its inception, the Internet has been a relatively lawless environment regarding consumer protection. Now the days of the Internet as a Wild West are genuinely drawing to a close. Just like in the physical world, businesses that wish to profit must follow the rules or face the consequences. Luckily with the proper foresight and attention, CCPA compliance can be a straightforward exercise that doesn’t break the balance sheet.

Published from our Privacy Magazine – To read more, visit Privacy.dev

GDPR Fully Explained

GDPR Fully Explained

With the European Union’s passage of the General Data Protection Regulation (GDPR), the practice of data regulation moved out of its infancy. GDPR is the first wide-reaching piece of unified data and privacy policy in the world, heavily regulating a plethora of rules that are set to follow in its wake. 

Apart from the occasional headline about FAANG companies tussling with the new legislation, the practical impact of GDPR remains obscure. If you’re a stakeholder in a small-to-medium enterprise (SME), this is a big problem. Unlike Google and Facebook, SMEs are unlikely to have a bottomless legal budget to contest being found in violation of the GDPR. As a result, data compliance over the next five to ten years can quickly become a question of business survival. 

This guide is a starting point for understanding the implications GDPR has for these businesses. Let’s examine the document, chapter by chapter, to summarize its content and analyze the practical consequences for companies seeking compliance. 

1. Understanding the Key Terms

First, The GDPR begins by outlining the scope and subjects of its regulation. Chapter 1 covers Articles 1-4 of the document. 

The two most important points to note from this section are where it applies and to whom. The territory where the GDPR applies to data processing by operating within the EU, even if the actual processing occurs outside the EU. It also applies to organizations based outside the EU that are offering goods and services to individuals inside the EU.

Controllers & Processors

To whom does it correctly apply? The GDPR applies to two parties: Data Controllers and Data Processors

A Controller is a party that determines the purposes and means of personal data processing. For example, a beer company that doesn’t build commercial software but has a website that gathers users’ birth dates is a data controller. The processor is the party that processes or operates on personal data – data on behalf of the controller. 

Continuing our previous example, the entity our hypothetical beer company subcontracts to is a Processor. It’s because they are building the beer brand website. Note that GDPR still binds data controllers even if they are using an independent Processor related to data collection, storage, or processing.

Finally, GDPR seeks to regulate information which constitutes personal data. Personal data is information that must relate to an identifiable individual. Determining whether information “relates” to an individual is an exercise in judgment. One must consider both the content of the information and the purpose of processing such data. For most SME’s, it is advisable to err on the side of caution. Treat any piece of user information, even if pseudonymized, as personal data unless explicitly advised otherwise by appropriate legal counsel.

2. Learning the Core Principles and Business Implications

Second, are the GDPR’s foundational principles, covered in articles 6-11. At the core of the GDPR is the provision that data collection must be lawful, fair, and transparent. Lawful, in this case, has two implications.

First, a business must proactively identify a lawful basis for collecting and processing user data. You cannot “shoot first and ask questions later.” Moreover, it must determine that the consequences of that processing are lawful. If a company has a legal basis for processing user data but uses it to do something illegal, then they violate the GDPR.

Informed Consent

The lawfulness principle expands in article 6, listing a myriad of conditions under which data processing can be considered lawful. “Informed Consent” is an essential requirement to be aware of. The principle under which many companies derive a legal basis for collecting data on their users.

Informed consent requires specific and unambiguous conditions. As a practical example, an online form with consent options as an opt-out selected by default violates the GDPR because it’s not unambiguous. The implications of informed consent are significant. 

Development and UX teams must work to structure their online data collection forms in a way that balances clean experience with legal compliance. Organizations can build natural ways for consent to be withdrawn at any time. If users can’t remove consent as quickly as they give it, then it doesn’t meet the GDPR requirements. A typical example of this requirement is the pop-up box requiring users to consent to the use of cookies on a company’s website. Now ubiquitous, these are direct results of GDPR requirements.

Fairness and Transparency

Fairness and transparency are the value-driven counterparts to “lawful.” Under the tenets of the GDPR, an organization must go beyond pure legal compliance, showing they have considered the impact of user data processing and found it justifiable. Orgs need open and honest approaches to data processing. Orgs also need to comply with requests from data subjects regarding their data, or the “right to be informed.”

What does this mean for an SME? It means the lawful, fair, and transparent collection of data doesn’t happen on an ad hoc basis. Organizations collecting user data must proactively examine each category of data they want to collect and evaluate whether it is consistent with the fundamental principles of the GDPR. 

Organizations can ensure systems are in place to signpost (when and how) data is being collected to meet the transparency requirement. They must also receive and respond to requests from their users regarding personal data processing. 

More Core Principles

Compliant development teams are mindful of the following core principles: 

  • Purpose Limitation. You must limit your data collection to data that serves your intended purpose and explain it to the user in plain English.
  • Data minimization. You must keep the data collected to a minimum for serving your intended purpose. You can’t collect data on the “off chance” that it serves your purpose. It must be explicit and necessary for your use.
  • Storage Limitation. There’s a time component to purpose limitation, which requires that organizations must not store personal data for beyond the time needed to complete an intended purpose. This seemingly small requirement has significant implications for business is done. Data can’t just be stored in perpetuity once collected; teams must build systems for the periodic purging of data and the re-obtaining of affirmative consent at regular intervals.

3. Understanding the Rights of the Data Subject

Having outlined the core principles, Articles 12-23 deal specifically with the rights of the data subject. Many of these rights stem directly from the need for lawful, fair, and transparent data collection. As we see in Chapter 3, these considerations take new and significant territory. 

It is fair to say that the rights conferred to the data subject in this section have the most substantial impact. Especially on how SMEs build data infrastructure. Basically, businesses are preparing to liaise with data subjects regarding their data. They make certain kinds of corrective action to the data residing in their systems.

Right to Access

Chapter 3 stipulates that citizens have a right to access their personal data information and see how controllers are processing that data. Practically, Data processors must have mechanisms in place to quickly and comprehensively share an individual’s data with them if they request. Therefore, a business with a massive “data lake” of consumer information violates the GDPR if it can’t efficiently pull and distribute individual records. 

Right to Erasure and Rectification

Chapter 3 confers additional rights on the Data subject, including the all-important Right to Erasure and Right to Rectification. These are safeguards to protect citizens even if their data has been captured lawfully, justly, and transparently. Rectification means that organizations must be able to correct inaccurate information about a data subject at the data subject’s request. Additionally, the Right to Erasure implies that a business must be able to provably delete all data related to a given individual if required to do so by request or otherwise. These conditions point to the need for reliable infrastructure supporting necessary capture and processing capabilities. 

Data Portability

Data Portability is less discussed in most media but equally impactful for individual business and the way they manage data. Article 20 of the GDPR stipulates that controllers must make data available to subjects in a “structured, commonly used, machine-readable format.” What this means for a small business is that if a Subject Access Request (SAR) comes in, the company needs to be able to turn around a response in a directly transferable format quickly. With this in mind, the artifact can’t be a printout or even a PDF. It’s more likely to be a file in CSV or JSON format that’s easily portable and can be opened and interpreted on the average citizen’s computer.

Furthermore, a business consideration that stems from the fluid requirements for data hosting is around building systems that are agile enough to respond to constant updating and extraction of data-sets. Development teams have to think carefully about requirements regarding data schemas and the versioning and specification of those schemas in the case of frequent changes.

4. Exploring the Obligations of Controllers and Processors

This chapter of the GDPR is chock-full of information with necessary business implications, and spans 19 articles, making it the lengthiest section of the GDPR. 

Here are the key points to take out if you’re dipping your toes into the data protection waters:

Data Protection by Design and Default

Addressed in Article 25 is a core data management system under GDPR. What it means in principle is that organizations are obligated to take “appropriate” measures when collecting, to store, and processing data. In practice, this means that privacy-by-design engineering is now a vital consideration for any dev team. Depending on the size of your team, a dedicated privacy engineer may or may not be feasible, but in any case, responsibility for privacy considerations must be delegated and prioritized among team members. 

Other measures that may be considered appropriate, taking circumstances into account may be pseudonymization of data, encryption of data, and system routine security checks. With these safeguards in place, the ability to notify relevant parties of a data breaches should be straightforward. However, the GDPR goes far in codifying the obligatory response time for each party. 

Organizations must notify the data subject immediately if there is a breach of their data. They must inform the relevant supervisory authority within 72 hours too. Has your business run a fire-drill to train for data breach response? If not, it should have! At the moment, GDPR’s requirements mean that no time can be lost aligning on the process.

Data Protection Officer

Lastly, Chapter 4 describes the role of a Data Protection Officer (DPO). A DPO is becoming increasingly common among data-dependent businesses. Nevertheless, if your business relies on processing large amounts of data (i.e., online behavior tracking), you’re required to appoint someone to this position. While the exact threshold for an obligatory DPO is still being hashed out via GDPR-related rulings, we recommend that businesses get serious about data management. Proactively recruit for this position.

5. Understanding the Transfer of Data to Third Countries and International Organizations

Chapter five of the GDPR provides additional detail on data transfers when it involves parties outside or above EU jurisdiction. If a business seeks to transfer data to one of these parties, specific steps are taken, then sanctioned under GDPR. Namely, “appropriate safeguards” and vetting of the third-party organization with the relevant EU supervisory authorities. In the absence of a positive green light from those authorities, transfers are permissible if proven that the appropriate safeguards get put in place. 

Chapter 5 states that companies need to follow data protection best practices inside and outside of EU jurisdiction. GDPR ensures all data emanating outward from European-supervised entities gets transferred with due caution and security of data subject rights.

6-11. Understanding the Additional Detail Contained in the Remaining

The structure of the GDPR document outlines most of the key terms, concepts, and prescriptions in the first five chapters. The back half of the regulation paper is less concerned with introducing new ideas and more concerned with firming up processes of compliance, enforcement, and sanctions related to GDPR compliance. Nevertheless, in this part of the document, there are essential points to note due to tangible business impact. 

Establish a Supervisory Authority

Chapter 6 calls for the establishment of at least one supervisory authority in each European Member state. Authorities monitor and enforce GDPR compliance in a given country and businesses in that country submit annual reports proving GDPR compliance. SME’s, therefore, should look to incorporate streamlined reporting capabilities as part of their data operation. Chapter 7 describes in further detail how these supervisory authorities are to cooperate and work together to promote EU-wide GDPR compliance.


Chapter 8 of the GDPR breaks down compliance processes and penalties imposed by failing to comply with GDPR rules. We recommend that all critical stakeholders in SME data operations read through these articles in detail. Does your business need more convincing of the unique and financially significant consequences of taking the GDPR lightly? Then remember, GDPR violations can result in fines of up to 4% of the business’s global turnover (per annum). Consequently, this can turn into billions of dollars, as recent GDPR cases involving the FAANG companies have demonstrated. Forewarned, forearmed!

Outstanding Business Items

Finally, Chapters 9-11 results in a final tidy up of outstanding items of business, including some discussion on exceptional data cases and adoption of different member state data measures. Development teams or other SME stakeholders do not need to focus on this part of the document. Especially when they’ll need to work so hard to process and incorporate all of the detailed instruction that has come before.


In conclusion, the GDPR is a significant and wide-ranging piece of legislation that will have a big impact on the business and technology landscape. Though the many implications of the document may seem daunting if you’ve made it to the end of this paper: congratulations. You’re now significantly better informed on the steps you need to take to get data compliant. Now it’s time to round up key players in your business –developers, management, marketing teams, and more – and start to gameplan for the changes that lie ahead.

Published from our Privacy Magazine – To read more, visit Privacy.dev

Data Security: 4 Ways Your Team Can Do Better

Data Security: 4 Ways Your Team Can Do Better

In recent years, news coverage of high profile data breaches resulted in the assumption that data heists are always sophisticated efforts by devious hackers in far-off lands. The reality is much more plain. 

According to a recent study by Securis, simple employee error causes 25% of data breaches. If your team spends all its time anticipating black swan events, it’s easy to overlook everyday safeguards. Organizations need to take the necessary steps to keep data secure in a fast-moving business environment. In some jurisdictions (EU), a designated Data Protection Officer oversees the day-to-day management of organizational data security processes. 

If you’re a large organization operating in GDPR territory or an SME preparing for greater data regulation (CCPA), you can take these four steps to get the basics right.

First: Think Physical.

Imagine you’ve spent months testing your infrastructure. You’ve ensured your site has the necessary certificates and building the protocols to store data securely and anonymously. Then, someone from marketing leaves a USB stick on the table of a coffee shop. And just like that, all the hard work gets undone in an instant.

Technical teams can think beyond the way data is stored. They can think through the way their team members, mainly non-technical team members, access and transport company data. Take responsibility by educating those who are ignorant. Teach their non-technical team members the level of caution needed when handling this precious resource. 

In real terms, this means workshopping and hosting seminars to educate the rest of the organization around best practices and warned of the consequences that can occur when casual attitudes prevail.

Second: Keep Access Control Granular.

Despite your best efforts, technical teams must understand that every employee constitutes a security risk and a potential access point for data thieves. Consequently, organizations should work to make data access as granular as possible. 

No one team member should have access to anything more than the data that is necessary to do their job. An “all-or-nothing” access policy avoided at all costs. Also, you can apply this philosophy to development work and third-party services and applications. 

Not only are password management tools and critical vaults essential for your developers, but you should and must limit access for individual services and systems. Limit access to the data necessary to complete the function performed only.

Third: Password Policies Matter.

If your organization has thought proactively about the previous two priority points, you’ll also need to remember the fact that passwords are the first line of defense. Passwords are the most vulnerable access point to security breaches. 

Build password protection into your company’s IT architecture to increase security for every employee and customer. Risk drastically reduces by providing customers and staff with a two-factor authentication login procedure. Furthermore, passwords to company networks and systems become safeguarded with 2FA and encryption at all times.

Fourth: Use Regulations As A Guidepost.

The landscape is ever-evolving. Companies loathe sharing the inner-workings of their data systems with the world. SME’s becomes challenged when gauging whether they have taken the appropriate steps to safeguard customer and business data. 

Here, it can be useful to compare your policies against the regulations laid out in frameworks like the GDPR, the CCPA, and HIPAA. These regulations are laws of their lands. They are also a good summary of the minimum level of performance and security that organizations need to be building into their data infrastructure. What’s more, they’re not all that complex, particularly if you have experience with the subject matter. 

We encourage developers to go straight to the source and familiarize themselves with the articles of the GDPR as a handy starting point for thinking about data security.

Published from our Privacy Magazine – To read more, visit Privacy.dev

Fundamentals of Ethical & Compliant Data Management

Fundamentals of Ethical & Compliant Data Management

If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence. Never before have they had such a pressing responsibility to manage that resource carefully. In 2019, data management is very commonly the difference between success and failure. The disastrous consequences of mismanagement can impact the company in question. More importantly, it impacts consumers that put trust in companies to protect their information.

If a business is serious about succeeding, it is imperative to build a dependable data privacy management operation from the ground up. That starts with defining a robust and comprehensive user data policy. 

Let us walk through fundamental principles that should be top of mind for any team drafting such a policy. While some of these points may seem like common sense, too often in recent years common sense has been conspicuously absent in approaches to data management. Stick to these points, and avoid the mistakes of others.

Respect for the User is Uppermost

As the final and the arguably most crucial principle of Dr. Ann Cavoukian’s “Privacy By Design,” this is a primary consideration for development teams at all times. Developing a reliable digital product is the sum of countless design micro-decisions, and at every step along the way, this is a question that is in the affirmative. If businesses respect the user first, then other conditions of a sound data policy come naturally. For instance, transparency and privacy as a default setting will logically follow.

Data Captured Must Have a Legal Basis for Collection

Data captured is a crucial consideration for crafting a coherent data policy. In many parts of the world, it is a legal basis for data collection, and the law explicitly requires it. Article 5(1) of the GDPR stipulates personal data must be processed “lawfully, fairly, and in a transparent manner.” Also, it provided six conditions under which the collection of data can be considered lawful.

In Brazil, the LGPD lists ten conditions for the same. For private companies and brands, most often “legal basis” equates directly to “consumer consent.” Any team building data collection and management infrastructure must think proactively about consent as a system feature. Retro-fitting consent onto pre-built systems is a recipe for disaster….and legions of consumer protection lawyers licking their chops.

Think Proactively About Theft – Prevention & Response

There is a temptation for organizations to pay too much attention to their shiny new data collection system. In reality, that is not enough. Orgs need to pay more attention to storage and theft prevention measures. Further down the list of an average marketing manager’s considerations might be the contingency plans for responding to a data breach.

However, technical teams can start prioritizing these concerns in the absence of instruction from non-technical members of the organization. After all, the legal requirements under GDPR are precise. Article 32 (1) mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Furthermore, articles 33 and 34 detail the required responses to data breaches that include notifying both the relevant authoritative body and the subject. If an organization does not have processes in place for these measures to be carried out within 72 hours, then it holds liability regardless of whether or not damage results from the breach.

Never Withhold

It is a non-technical principle that yields considerable technical implications for any data collection and storage system. As a governing principle, it is essential in helping dev teams make the right decisions at every stage of development. There must be a system for updating data policies and sharing with system subjects. There must be transparency at every juncture of the collection process. Additionally, there must be processes in place for handling Subject Access Requests (SARs) in a streamlined, efficient manner. The only instance in which the GDPR permits an organization to withhold personal data from a user request is likely to restrict the rights and freedoms of others (Articles 12-15), but this is a rare occasion and treated as the exception that proves the rule that withholding a user’s data from them is mostly forbidden under the GDPR and other comparable data policies around the world.

Published from our Privacy Magazine – To read more, visit privacy .dev

Preserving Data Privacy in the Age of Facial Recognition

Preserving Data Privacy in the Age of Facial Recognition

Public anonymity is dead. While that phrase, “public anonymity” may sound like an oxymoron, let me explain. You can’t walk along a street, visit a store, or attend an event without the possibility of someone knowing you’re there. A government entity, a store owner, or a tech giant knows you and can track everywhere else you’ve been, only by your physical appearance.

In 2018, facial recognition technology spent much time in the news. Amazon licensed its Rekognition product to law enforcement with the presence of gender and racial bias in some of the current technology. ‘China’s used facial recognition to shame jaywalkers publicly. It’s clear, society faces moral and philosophical questions. Such as, who owns and should have access to your physical identity and information in the real world?

Truthfully, this conversation breaks into two discussions. First, what rights do law enforcement and government entities have to track us? Second, for what purposes do we allow companies to access and use our visual identities?

Facial Recognition

Much of the focus to date has been on government use of facial recognition. The ACLU concluded, “Face surveillance threatens to chill First Amendment-protected activity like engaging in protest or practicing religion, and it can be used to subject immigrants to further abuse from the government.” San Francisco has already proposed a ban on the ‘city’s use of technology.

Similarly, Aaron Peskin, member of the Board of Supervisors who proposed the ban, commented on his proposal. “I have yet to be persuaded that there is any beneficial use of this technology that outweighs the potential for government actors to use it for coercive and oppressive ends,” he stated.

As this discussion heats up, there will undoubtedly be those who cry, “If ‘you’ve got nothing to hide, ‘you’ve got nothing to fear!” Despite this shallow rationalization, I fully expect masks and other facial coverings to become increasingly popular in public spaces — potentially even stylish.

More significantly, in my opinion, is how we allow companies to use facial recognition. Apple uses the technology to enable you to unlock your iPhone. Facebook uses it to enable you to tag your friends in photos. To date, these applications take place online and under our control. To our knowledge, the owners of this technology have not deployed it to the public sphere. However, public deployment is inevitable. For instance, sensors on ‘Google’s Waymo vehicles will have the capability to act as a roaming camera network. These vehicles identify pedestrians and even keeping track of where ‘they’ve been, just as Android does today.

Biometric Identification

Admittedly, there are many beneficial and convenient applications for consumer-facing biometric identification technology, as ‘I’ve written about before. Biometric access control will get rid of physical keys or fobs for your home, office, and other institutions. Your physical identity may function as a non-transferable ticket to a concert or sporting event. The need to “ID” people with their ‘driver’s licenses will disappear.

Since the wide-scale deployment of biometric identification is likely inevitable, ‘it’s imperative that we think through all of the potential nefarious use cases and set some ground rules. Lauren A. Rhue, Assistant Professor of Information Systems and Analytics at the Wake Forest School of Business, commented on the potential misuse of facial recognition technology. Lauren stated: “The risk in giving up any biometric data to a company is that there’s not enough transparency, not only about how the data is currently being used, but also the future uses for it.

Establish Standard Operation Procedures

Companies looking to deploy biometric identification or facial recognition outside of homes need established standards and operating procedures.

  • Mandatory opt-in: users must opt-in to have their biometric identity scanned, stored, and tracked.
  • The company needs to be transparent in how they use data today and in the future. Also, this includes any potential for 3rd parties to access or utilize (anonymously) this data (for instance, targeted advertising).
  • The company cannot buy or sell data to pair biometric identification with other data. For example, online activity or credit card data.
  • The bright and transparent value proposition to consumers: “By using your biometric ID, we make it easier to X, Y, and Z.
  • The company needs to have the ability to delete all personal and biometric identification information at-will completely.

It is clear to me that current tech giants are likely incapable of fulfilling the proposed standards above. They’re too large, diversely focused, and have historically made too many mistakes regarding data privacy and use. Instead, there’s a distinct need for companies built from the ground up to focus on transparently managing people’s biometric identities. Additionally, it should be divorced from any other business lines or monetization streams. 

To summarize, we have a short window of time to establish the standards by which companies may use our physical characters to preserve our privacy. Any for-profit company that wishes to deploy biometric identification technology outside of the home or internet should agree to the ethical, transparent, and responsible use of such technology. After all, they are accountable if they fall short of these standards.

We published this article from our dedicated Privacy Magazine, Privacy. Dev – read more now.

Inefficiency in Data Privacy for Online Advertising

Inefficiency in Data Privacy for Online Advertising

Google and Facebook dominate the data-driven online advertising market and have created an ecosystem with network effects challenging to break. Tech giants accumulate user data; their targeting becomes more refined; vain user impressions reduce. Their business models build on foundational inefficiencies and give rise to the precarious externality of data privacy invasion.

Data Privacy Swept Under the Rug

Online advertising has finally brought traceability to an industry that has long been unsure of its real impact. However, click and conversion rates give away the amount of traffic an ad generates. Therefore, advertisers can precisely measure if their ads are prompting the desired behavior. 

As a result, advertisers are poised to increase shares of their advertising spend towards placing and creating digital ads. In turn, social media platforms and search engines reap higher revenues through highly effective targeting. This drives them towards the collection and analysis of user data. This optimization mechanism, however, sweeps concerns over privacy under the rug. It also hides the underlying ineffectiveness and inefficiency of the data-driven online advertising model.

Under the current paradigm, online publishers provide an indirect link to advertisers’ products and services. Instead, it should optimize their value proposition towards users. In theory, a rational user willingly spends more on Google and Facebook products. A rational user is more willing to pay for the goods/services purchased as a consequence of being targeted by platform advertisers The user ultimately finances the middleman, the digital advertising industry. 

Eliminating the Middlemen

We’re one to eliminate this entire trade of intermediaries. It starts by deploying a pay to play model similar to Netflix or Spotify. Google and Facebook could cash in on the full value consumers perceive their services to be worth. Meanwhile, the incentive of the two advertising giants would shift from getting to know their users to the maximum extent through big data and AI towards providing the highest perceived value to users. 

One could, of course, argue that the customization, enabled through the study of user behavior and preferences, would still be valuable to users. It would, however, become difficult to rationalize the level of private data collected on users. In practice, Facebook and Google have opted to offer their services for free, to foster quick and widespread adoption. Nonetheless, the average revenue generated per user for Google and Facebook (around two dollars per month), begs to ask the question of whether users would prefer to pay directly for their internet search activity and social media usage.

A New Revenue Model

Users’ concerns are enhancing as they gain more education on current ad targeting practices. Thus, we may well reach a turning point where Google and Facebook see their incentive structure altered to favor a new revenue model. Regulators would be well served to nudge the data giants towards pay for play models to enhance the probability of this outcome. Still, users have to do their part in upping the bar on their willingness to purchase internet services to protect their data.

Published from our Privacy Magazine – To learn more, visit privacy .dev

Data Privacy & The Future of Digital Advertising

Data Privacy & The Future of Digital Advertising

There’s a famous saying in Silicon Valley, “If you can use a product for free, then you’re probably the product”. Nowhere is this more truly illustrated than by the business models of Google and Facebook; two of the most valuable companies in the world; two of the most potent vehicles for consumption in human history.

Google and Facebook scaled at incredible speed by offering their web services to users for free. As their user bases exploded, they monetized their platforms by building the most sophisticated ad targeting capabilities ever created. It happened on the back of data supplied willingly (so they claim) by their users too. Today, the two companies combined account for over 50% of digital advertising spend in the United States, to the tune of roughly $60 billion.

Calls for Tighter Regulation

One could surmise that upsetting this cash cow would require some genuinely seismic event. The growth of global data regulation policy might be just that. It has taken legislators some time to catch up with the pace of technology, but since the 2016 U.S. presidential election, the way these companies collect, store, and utilize consumer data has been squarely in the crosshairs of public opinion. Our discomfort with the sheer volume of data these companies have amassed, and how that data gets exploited, is palpable. The result? Increasingly loud calls for tighter regulation.

In Europe, both companies have already run afoul of the GDPR and hit with hefty fines. Facebook, at present faces an inquiry into a data breach that could result in a bill of multiple billions of dollars. As the rest of the world moves to institute similarly comprehensive data regulation, it’s not crazy to think the cost of doing business through a user data-driven model may look less and less appetizing to Google and Facebook.

Pay-to-Play Model

Furthermore, there’s a case to make that the average user would be willing to pay more to use Google and Facebook services than the amount of revenue they generate as a set of eyeballs for viewing digital ads. The latest estimate puts that figure at $2 per month. Would you pay $5 a month for an ad-free Google and Facebook experience, secure in the knowledge that your data is safe from the highest bidder? It’s worth considering!

While a pay-to-play subscription model is admittedly still a point on the horizon, it’s important to note that the winds of public and regulatory opinion are pushing us closer to that destination. So it’s impossible to understate the industry upheaval that would occur if it did come to pass. Overnight, brands would get deprived of their primary source of digital eyeballs. Plus, Facebook and Google could stop trying to strike that delicate balance between user experience and advertiser results. 

In essence, this move would restore the traditional, pre-digital relationship between customer and producer, with the marketing middleman cut out. Far-fetched? Possibly. However, if you’re not thinking ahead of the data curve, you end up, inevitably, behind it.

Published from our Privacy Magazine – To learn more, visit Privacy.dev

Do These 3 Things for User Data Privacy Compliance

Do These 3 Things for User Data Privacy Compliance

Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed. Pioneers were only discovering boundaries long after traversing past them. Regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now, there are real consequences for actors that fail to follow regulatory requirements. Meaning the collection, storage, and exploitation of personal data.

The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s essential to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land sometime in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more critical. So, let’s assume that you aren’t yet able to pour over the fine print of each legislation to ensure compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?

Be Specific and Get Consent

To capture every piece of data under the sun and try to figure out how to use it after the fact is rapidly consigned to the dustbin of history. Article 7 of the GDPR states data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented “in a manner which is clearly distinguishable from the other matters…using clear and plain language.”

A logical, mandatory consequence is that consent for data collection and processing must be clearly stated. You can’t explicitly ask for consent to capture an undefined set of data. Personal data can only be collected for “specified, explicit, and legitimate purposes” (Article 5(1) of GDPR). The upshot for development teams is clear. Define specific data you want your system to capture and obtain affirmative consent from your users.

Be Aware, Users Can Withdraw Consent

Another vital point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time.” Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent.” What does this mean for your business? Well, most basically, your website/app/digital product must have a straightforward way for users to retract their consent. Your system must have built-in processes to guarantee it too. If users withdraw permission, the data cannot live anywhere in the infrastructure.

Remember You Can’t Keep it Forever

In the old days of only a few years ago, once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure,” and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure.

Does your system have controls in place to efficiently remove data after a certain period has elapsed? It better!

Published from our Privacy Magazine – To learn more, visit Privacy.dev

Security & Privacy: Minimizing Data Breach Risk at the Source

Security & Privacy: Minimizing Data Breach Risk at the Source

Thus far, we’ve spent much time examining the core principles of the GDPR and other pieces of data regulation. We’ve worked through some of the implications these documents carry for the UX and back-end functionality of consumer-facing applications. However, there are many other components to your business’s robust, secure data operation. Let’s look at the core principles of ensuring your hardware, software, and applications are securely spec’d to withstand attack. It’s no secret, threats to digital security are on the rise. The consequences of a data breaches are a PR nightmare of epic proportions (Hello Equifax). Start with the steps to get smart about your company’s infrastructure.

Encrypt On-Premise Storage Devices

Many businesses continue to use SSD’s and HDD’s as a backup storage solution. Data on these devices should get encrypted and password-protected in the first place. Doing so significantly reduces the risk that bad actors will access if a storage device is compromised.

Assess Network Security

The infrastructure hosting company communications are vital to your ability to do business. Each device is a potential security breach point to malicious outsiders. Your wireless router, your company phones, and your web servers. It’s easy to overlook these when you’re just starting your company. We strongly recommend that even small startups get serious about protecting their data. You can do this by conducting a network security assessment, identifying potential risks to your systems while working with partners on mitigation. It may seem like overkill. So remember, what you do now will save you in the future, especially where you’re a success and proliferate. You start becoming a higher target and risk increases. Getting your house in order now will safeguard you in the future.

Employ Due Diligence with Hosting Platforms, Third-Party Libraries, and Code

Online resources are a great way to develop solutions quickly. Hence, SaaS platforms have grown increasingly popular. Third-party libraries have also been an essential tool for letting development teams work efficiently. One should never assume any one of these resources is impervious to attack. Your organization must perform its due diligence on any modular solution it uses as part of its solution. Do your users, customers, and/or org report vulnerabilities? What are the ways to mitigate them?

Compliance Criteria

At a minimum, cloud service providers should be complying with criteria such as:

  • SOC 2 (SSAE16/ISAE 3402) – a report based on AICPA’s existing Trust Services principles and standards that evaluates an organization’s InfoSec, availability, processing, and confidentiality capabilities.
  • ISO 27001 – This is one of the most widely recognized, internationally accepted independent security standards A framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
  • ISO 27018 – An international standard of practice for the protection of personally identifiable information (PII) in public cloud services.
  • PCI-DSS – If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant provider.
  • Privacy Shield – Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.
  • FedRAMP – The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

In some cases, it can be the right business decision to forsake the security features included with a given hosting platform to build your own. If your company is handling financial data, we recommend building your code from scratch. Additionally, using a five-level encryption process to ensure no one can read the data even if stolen during transfer.

SSL Your Site

Lastly, on the point of data transfer, it is increasingly a non-negotiable for business conducting any online commerce to invest in an SSL certificate. An SSL Cert, in the words of the makers themselves, “is used to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it.” If you’re in development, you understand the many waypoints a piece of data travels through in its transmission; encryption is vital. Furthermore, SSL Certs provide authentication that lets users know they “are sending information to the correct server and not an imposter.” Do they know the technical implications of what this means? Unlikely. However, do they get nervous when their browser bar flashes red and warns them that the site may not be trustworthy? The bounce rate from this alone is enough to justify SSL investment for almost any business.

Published from our Privacy Magazine – To learn more, visit Privacy.dev