All About the CCPA (California Consumer Privacy Act)

Justin Webb is back for a discussion centered around the California Consumer Privacy Act (CCPA), primarily. Brad and Evan briefly provide an update on the new show format and some information security news as well.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Brad Nigh: And welcome back. This is episode 57 of the Unsecurity podcast. I’m your host this week Brad Nigh and is december 9th and joining me is my co host, Evan Francen. Good morning Evan.

[00:00:33] Evan Francen: Good morning Brad.

[00:00:34] Brad Nigh: How are you today?

[00:00:36] Evan Francen: I’m still too early to tell. Even though I did get up, I got up super early this morning, monday morning for me, some reason I don’t know I got up at like three.

[00:00:44] Brad Nigh: Got in before the snow. It’s not yeah, I was doing when I came in fun. It’s not supposed to be too bad. Only like I saw 2-4, somewhere in there. All right. We have a great show plan today. This is the second part of our first two part show. And we welcome back our favorite data privacy attorney Justin Webb. Hi, Justin.

[00:01:07] Justin Webb: Hey guys, how’s it going back again?

[00:01:09] Evan Francen: That’s right. We called you our favorite, does that mean anything?

[00:01:12] Justin Webb: It means actually very, very much to me. Yes. Yeah.

[00:01:18] Brad Nigh: All right. Uh in last week’s show, episode 56 we discussed quite a bit. We talked about the target lawsuit against chub and china’s cryptography law and we had intended to talk about the California consumer privacy act or the CCP A but we decided to move it to today. Show in order to give it more of the attention it deserves. So before we died into the CCP A let’s check in quick um how is everyone’s week Justin we’ll start with you,

[00:01:44] Justin Webb: I’m busy, I’m just spending time working with clients on CCP A. Um it’s been pretty gangbusters in december, I think everybody is sort of feeling the pressure. Um and so we’re spending a lot of time working on privacy policy is um uh working on people’s sort of data subject requests um forms and uh it’s a lot of CCP A stuff and a lot of sort of clean up at the end of the year. Um so a lot of hours but good times and um we we had this webinar um called, we’re all in this together um I think that’s pretty accurate because um if you talk to some attorneys, they would refer to the CCP A as a some street fire. I think there’s a professor in California, eric Goldman who did a post on his blog about it and he just had a picture of a dump strong virus. So I think that’s pretty accurate. A lot of people are happy about the law and privacy rights but I think a lot of people think the implementation and language uh leave much to be desired. So it’ll be interesting to talk about it today because um I think everybody is confused. So good times had by all.

[00:02:57] Brad Nigh: Yeah, sounds, sounds about right. Uh my weekly, I was busy shocking into the year. Everybody’s, You know scrambling to get this stuff done and you know, doing a lot of the uh 2020 planting and wrapping all that stuff up and Uh yeah, it’s one of those things, I think I came in the latest, I was in the office last week was like 6:30 was my late day.

[00:03:24] Evan Francen: So he slept in,

[00:03:25] Brad Nigh: I slept in that day. Yeah, just it’s that time of year.

[00:03:31] Evan Francen: Yeah. Everything’s just kind of nuts.

[00:03:33] Brad Nigh: Yeah. Everybody wants their last minute we’ve got budget dollars to spend or we need budgeting for next year. We need the assessment done by the end of the year. Because we have to for regulatory, we waited till you know, 49.5 weeks into the year to decide that

[00:03:55] Evan Francen: security is not an afterthought, is it? No, no,

[00:03:58] Brad Nigh: no. How about you, Evan? How was your week? You had a light week light for you? Thought so. I didn’t want you only in one place last week.

[00:04:08] Evan Francen: Yeah, I only visited

[00:04:09] Brad Nigh: one. It’s

[00:04:10] Evan Francen: light, it wasn’t too bad. Uh Well before we get started, we were talking about what happened this weekend and I couldn’t remember this weekend. But let’s see, I was in uh phoenix Arizona Scottsdale. Which doesnt suck by the way. Uh for december can be from Minnesota uh hit up three barbecue joints, you know, you gotta get your priorities straight. So I was down there for the I. S. S. A. Q. Four chapter meeting Very well attended, 75, 80 people were there. I was speaking number three out of four. It was it was a full day event. Um barbecue joints. I went to Naked Q. That was really good. Little Miss was the winner last week. If you ever follow the Evan francine dot com, you can find the roadshow

[00:05:03] Brad Nigh: had to quit because I was just getting jealous and my mouth was watering.

[00:05:06] Evan Francen: Yeah so we uh we had 26, and 28. That’s the number of barbecue joints we’ve visited on the road show. Little Miss was the best for this week. I met some really really cool people met an ISIS, a hall of famer guy named ritual. And uh so we’re now we’re connected and can collaborate together and some things. Uh But yeah really really awesome event. Um So yeah, I got back on friday.

[00:05:37] Justin Webb: Yeah midday, yes, are

[00:05:39] Brad Nigh: you friday afternoon? It’s

[00:05:40] Evan Francen: cool. Yeah, it’s a good good week. All right, we should bring some of that weather up here.

[00:05:46] Brad Nigh: Yeah. Yeah. Did you see the highest like Tuesday Wednesday? I’m

[00:05:51] Evan Francen: going to Dallas though this week.

[00:05:53] Brad Nigh: Yeah, I think tomorrow I’m supposed to be like three Wednesday is like one or two. Not cool. Yeah. Yeah so you’ll enjoy Dallas alright

[00:06:05] Evan Francen: become large. That’s the barbecue

[00:06:06] Brad Nigh: joint. Yeah

[00:06:08] Evan Francen: I gotta I gotta go, so we went there before and it’s the leader right now and he has to roadshow barbecue challenge thing that we’re doing. Um I went to Little Miss though this last week and I was telling john I’m like, I don’t know if this was better than pickle mod or not, we should go

[00:06:23] Brad Nigh: back and I think you have to verify validate our cross to bear their. Yeah, it’s tough life. All right, so now we’re going to get into this whole CCP A thing. So most of the show is dedicated to this discussion on Evans blog. There are three different references. One is for the from the California government site cso online and one from Deloitte around quick reference guide. So uh I guess first we’ll just kind of start talking about what the CCP A. Is. Well, yeah, first

[00:07:00] Evan Francen: off I wanted to talk to uh Justin and just get his take on Justin I assume you probably checked out those three references.

[00:07:08] Justin Webb: I did. What

[00:07:09] Evan Francen: were your thoughts were those pretty good references to share?

[00:07:12] Justin Webb: Yeah, I mean the first one is uh is the a link to the Attorney General California’s page and it’s got sort of like all the information that you need about the statutes um And also the regulations that um the Attorney General put out um back in october um and those are sort of the Attorney General’s um interpretation of the statute and um I think much to some people of sugar in, they kind of expand on what’s in the actual law. Um and so there’s been some chatter um on the internet that, you know, those things may be subject to legal challenges because they expand. So typically when you have um legislative body that draft the law, like let’s say congress of the California legislature and they delegate um the right to an executive branch to interpret the law or any other branch for that matter. Um They’re supposed to stay within the confines of the law, right? So like you explain it more, you sort of provide guidance to people, but you don’t make new law. Um And so the the Attorney general of California has certainly made new law um in the context and and and interpreting things you inherently are making new law, but you’re uh supposed to stay within the confines of the law and that just hasn’t really happened here. There are additional requirements. But yeah, that pages got a lot of the good information and I think a lot of people um or at least some that we’ve run into aren’t aware that the California Attorney General has put out regulations and they’re much more specific about what you’re supposed to do under CCP A. Um And so if you haven’t looked at those yet or you’re just operating off the law, you should absolutely look at those because they have additional requirements that are pretty important. Yeah,

[00:09:01] Evan Francen: well one of the things, I mean, every time they come out with a new law it’s you know for me I just just give me the kind of the nitty gritty, what do I need to know and what do I need to implement? I thought the and I don’t like to give delight any more credit than they’re going to get right now. Uh But I thought there little to page quick reference guide. It was a pretty good guy. What do you think of that one?

[00:09:27] Justin Webb: Yeah I thought it was pretty good too. I mean I think you know whenever you talk to an attorney right, he was going to say well there’s so much more detail and um a lot of like nuance in the law but I mean as a general matter um you know, it hits the high points um that you need for C. C. P. A. And I think um you know the the recommendation of any attorney of course is that you should work with an attorney um on your CCP A compliance because there are a lot of Gotchas in a law in my opinion. Um and um it’s absolutely confusing so if you or just reading it um uh you’re not an attorney. Um I would not be shocked if you had absolutely no idea what you were supposed to do. Um And so it’s good for sort of all of these secondary sources that are interpreting the law to help people understand sort of the high level requirements because it is um uh even to US attorneys that the um there’s an article that came out I think on friday from courthouse news that talked about the last public hearings for CCP A. So the attorney general has had multiple public hearings. You can see those dates on the attorney general’s website And at this last one um they put up this news story that says businesses confused over terms of California’s new privacy law. Um and I can I can send the link over to you so you can share with everybody but um one of the attorneys that they quote at these public hearings, his name was Todd smith line um and he was sort of picking on the law um probably um like a lot of other people wish they could. And and one of the things he said is quote, let’s face it, this thing was essentially written by a broken robot. Um and it was sort of you know, event to capture what I think a lot of attorneys and others have thought, which is that, you know, it’s still, the law still contains sort of internal inconsistencies. There were a bunch of cleanup bills that went through to try and clean that up. Um The governor signed, I believe eight amendments to CCP A um leading up to the Attorney General regulations that came out. Um And so the law has continued to change even since it was um sort of quickly implemented um and quickly passed. And so I think the sort of bottom line as there. Um So when I go back to sort of the webinar we had, which was, you know, we’re all in this together, which is, you know, everybody is trying to figure this thing out. Um And so I try and encourage people not to get too discouraged by um the lack of clarity in the law, that’s, you know, sort of the the main reason why you need an attorney to kind of help you wade through the morass that is uh C. C. P. A.

[00:12:21] Brad Nigh: So so what you’re saying is a law that was written in seven days

[00:12:25] Evan Francen: when you said that,

[00:12:27] Brad Nigh: you said you

[00:12:28] Evan Francen: said morass, did you need more

[00:12:30] Justin Webb: ass? That’s a weird yes, it was, it was, you know, it was it was proposed as a ballot initiative and the California Legislature, um you know, when you pass something, the a ballot initiative, the only way you can change it is by another ballot initiative, you can’t the legislature can’t modify something that’s sort of the people of the state of California have approved. And so the legislature can propose a the same bill in the legislature and therefore um and get the people who propose it on the ballot to agree to withdraw it. Um So long as it’s the same bill and so then the Legislature can make changes to it, they obviously have and so it was a quick process if you if you talk to the people who drafted CCP A will say no it wasn’t. We had been talking to the legislature for a long time. Um but it’s hard not to think that there was some um, you know, quickness to it because it was introduced and passed within seven days and it didn’t go through at least in my opinion or at least it doesn’t look like it went through the kind of clean up harmonizing that you would normally see um in a comprehensive privacy law. So if you look at GDP are um it makes a lot of sense and granted it was based on um a previous law, you know, the previous european um data protection law. And so I think that sort of clouds the entire sort of interpretation and implementation of CCps is sort of original um sin if you want to call it of having this thing go through pretty quickly and still remaining um pretty confusing.

[00:14:14] Evan Francen: So for our listeners, we have a series of questions that we put in the show notes. And one of those was I think sometimes we just assumed that people know what CCP even is. So let’s just if we could just maybe start there. What is C C. P. A. Yeah,

[00:14:30] Justin Webb: so C C. P A. Is the California consumer privacy act Um of 2018 um and so it it effectively is a law that um talks about what companies and and the law uses the term businesses can um are supposed to do with regard to personal information. So um it provides things like um the right for people to ask for the categories of information that a business collects. It defines relationships between businesses and service providers who handle personal information on their behalf. Um It provides penalties for failing to um uh comply with the law that can be enforced by the attorney general. Um And it generally requires a few things. The first is that you update your privacy policy um to have specific disclosures um sort of how you use information who you share it with. Um whether you sell information. And a lot of the law is focused on um companies selling personal information. So um and and one of the amendments that came later on was sort of this data broker amendment which was meant to capture companies who sort of primary business um is selling information. So the law provides you this right to sort of click on a button or a link that says do not sell my information. Um And that company or business that um is collecting information is not permitted to sell it to a third party. Um And so that’s meant to sort of give people um It’s opt out right from uh selling personal information. Um It requires the disclosures that I talked about in the privacy policy. So sort of how are companies using information who they sell it to? Um And then it also allows consumers to make requests um to see the actual um information that companies have of them to require them to delete that information. Um It gives a right of data portability which means um uh not just sort of showing me the information that you have but actually giving it to me. Um So I could take it um and give it to another company or do with it what I may. Um And so it provides all of these rights and defines relationships between parties provides penalties. And so the major components of it are for companies were trying to comply with it are updating your privacy notice either to be uh to provide everybody the rights or just individuals in California. Um I think a lot of companies have made the decision to just provide these rights to individuals in California um Because it’s a California specific law um And then um providing a way for people to make those data subject requests. So to uh delete or do not sell my information or provide the access the law requires you to train your employees um about C. C. P. A. And handling requests. And it also um sort of has this inherent requirement to negotiate agreements with third parties to make sure actually agreements the service providers to make sure that they aren’t using personal information for their own purposes in a way that would constitute a sale of personal information. And the concept of selling personal information is sort of one of the more confusing parts of the law because selling personal information isn’t like I give you my social security number and you hand me a $5 bill. Um It can also be I give you my Social security number and you are allowed to do something with that that enriches you. Um And so even if I don’t give you you don’t give me monetary money back. Um And so um it’s called sort of uh you know like providing information um and obtaining anything of value or for valuable consideration. Um And so that’s where a lot of people get stuck on the law and really what it means is if you’re giving information to a service provider, they can’t just do whatever they want with it. They can only do what you’ve told them to do with it which is kind of a G. D. P. Are like um um concept.

[00:18:54] Evan Francen: So it’s simple then is what you’re saying

[00:18:57] Justin Webb: is very simple. Very very simple.

[00:18:59] Brad Nigh: I mean realistically at the core concept it really isn’t that hard. It’s just what are the requirements to actually do that?

[00:19:09] Evan Francen: Yeah. I don’t know. This looks very very disruptive.

[00:19:12] Brad Nigh: Yeah. Well I mean from a from a basic perspective right? You can’t use my information without my consent or is really what what they’re saying? Sure.

[00:19:23] Justin Webb: Yeah and and actually the law doesn’t really so G. D. P. R. Says like you can’t process personal information unless you have a legitimate sort of purpose for doing that. Um C. C. P. A. Doesn’t have something similar. So it doesn’t really restrict what you can do with personal information except with respect to sales of personal information. So um there are there are a few restrictions in there but the large portion of the law is just telling people what you do with the information. The only real restrictions are you can’t do um with information things that you didn’t disclose to people. You can’t collect information from individuals if you haven’t provided them. Um Some notice of what you’re going to do with it and what you’re collecting. Um And you there’s some restrictions on like additional sales of personal information. So if I um sell personal information to a company and it wants to sell that information again um It needs to get often consent from individuals to do that. But for most purposes it doesn’t provide that many limitations. It’s mostly a limitation on sales and mostly sort of a providing notice through a privacy policy.

[00:20:41] Evan Francen: Okay now you brought up GDP are a couple of times in sort of your discussion and I’ve heard other people make comparisons to GDP are between C. C. P. And G. D. P. R. How are these two things similar other than obviously they both deal with personal private information but how are they similar

[00:21:01] Justin Webb: tom easy answer

[00:21:03] Evan Francen: even. Yeah

[00:21:04] Justin Webb: I mean it’s it’s it’s somewhat easy. I mean I think there they’re both similar in that they require notice to individuals of sort of like what you’re doing with information. Um in varying degrees they both provide um individuals with um those data subject rights. So the right to tell companies not to do certain things with information to provide you a copy of what information they have about you. Um G. D. P. R. Is much more comprehensive. It has additional things like data minimization um which means you know only collecting uh you know the smallest amount of information necessary to sort of achieve your purpose. Um It also has the right to sort of like make sure company has accurate information which is not something that C. C. P. A. Has. Um But for the most part you know that they cover sort of notice and um data subject rights. G. D. P. R expands on that and actually requires sort of like often consent in certain scenarios. Um And there isn’t really any opt in consent portion of CCP A other than Um for minors. So individuals under 13 um have to have opt in consent from their parents. Um and people between the ages of 13 to 16 there’s sort of additional requirements. Um and so one of the sort of hard parts of CC. P. A. is if you’re collecting information from individuals, you know 16 and under. Um So but otherwise there isn’t a lot of opt in consent, it’s all sort of opt out of the sale of personal information.

[00:22:50] Brad Nigh: So if if a company says yeah we’re G. D. P. Are compliant. Are they are they safe to say their CCP a complaint? Are there additional, you know, change different things that they have to have in place or?

[00:23:03] Justin Webb: Yeah so they’re not um I think they’re they’re much closer than a US company that’s never had to deal with G. D. P. R. Because they’re familiar with sort of the data subject rights, you know, sort of providing personal information to individuals. But um there’s no sort of concept directly in GDP are about do not sell. So at the minimum you would need to provide the do not sell my information link. Um And you also still have to update your privacy notice uh to be compliant with the requirements of C C. P. A. Um So a lot of companies have, you know, already sort of spent the time to prepare a GDP are compliant privacy notice. Um And they still have to update it to include additional sort of California terms and one of the sort of unintended consequences I think of all of this is that it’s making privacy notices longer. Um And the uh you know, one of the things the attorney general said in the regulations that you need these privacy notices and all of your interactions with consumers to be clear and simple so that people can understand it, but in reviewing um I have this past time which I’m very sad to talk about, which is that pretty much every morning I searched the internet to see um a new CCP a privacy notices that have been posted just to see what other companies are doing and how they’re interpreting the law. Um and in large part those privacy notices are just getting longer. Um and so I don’t know that that actually helps people. Um it makes it even more confusing as to what a company is doing. Um And so um while I know the law was intended to sort of provide additional clarity to consumers, it will be interesting to see um if that’s really true and I I doubt that it is. Um and it will be interesting also to see if the attorney general goes after companies who have sort of, you know, made their privacy notices longer and even more incomprehensible um as a violation of those regulations requiring it to be simple and sort of straightforward.

[00:25:18] Brad Nigh: Well, does

[00:25:20] Evan Francen: does anybody read those anyway, I mean, as a consumer, I can honestly say, I don’t ever read privacy policies.

[00:25:27] Justin Webb: I mean, I, you know, there’s a lot of sort of research on this and, you know, a lot of um commentary and I think the answer is that it’s not common unfortunately for people to read those. I as a privacy attorney read every privacy policy um that has to do with an app or really anything. I mean I’ll be honest I don’t every time I go to a website read their privacy notice but if I’m going to give them my personal information um you know like actually type it in there, I look at it and even you know if you don’t do that um you know websites are collecting information from you all the time in the form of cookies, pixels. Um And so you know when people are like it’s really creepy that this ad keeps showing up. Um It’s of course because you’re being tracked you know across websites and over time um and companies are paying to get their ads placed in front of you um multiple times because the thinking is that you’ll go back and you know purchase that product whatever it is. Do you read do you

[00:26:28] Evan Francen: read cookie notices to because that’s another thing I never read anymore. I mean I used to read I read maybe the first couple of weeks now. It’s just so irritating. I just. Okay. Except except except I think one of consumers do that too.

[00:26:40] Justin Webb: I’m pretty sure that’s probably the case. Um I think for super privacy minded individuals they might spend time looking at that and and some websites um that are um fully compliant with both the european privacy directive um and G. D. P. R. Give you the right to sort of um turn off and on cookies so you know um there there are different categories of cookies but the the way G. D. P. R. And the privacy directive or read together means that I should be able to say no to certain cookies that I don’t want. Um And so you might see that on certain websites but they have like little buttons that say yes to these cookies or no to these other ones. Um But no I don’t think a lot of people read cookie notices. I wish the opposite were true but um you know

[00:27:32] Evan Francen: and I get the intent, I mean I get the intent of doing it, you know trying to empower the consumer but I fear that we’re we’re just reinforcing a behavior that we’ve seen over and over and over again is yeah users don’t, it’s just more noise for them. They just click and click and click. And then the one thing that you actually do want them to read, they’re going to click through that one too because they’re just they’re creatures of habit

[00:27:57] Justin Webb: and they’re they’re you know, one of the other things in the new regulations from the Attorney General was requirement that at the time of collection so when you actually collect the information from the consumer. So like you know right when I’m about to hit submit um or um whenever I’m sort of collecting information from people, even if it’s a closed circuit television, I have to provide them with notice. So like notice at the time of collection, that’s different than, you know, just posting something in a privacy notice, right? So I’ve got to tell them before they had submit that I’m collecting these kinds of information and this is the sort of reasons for doing that and what I’m going to do with the information. Um and so that helps in some sense to provide people notice and one of the requirements and CCP that I think a lot of people um are challenged with is if you collect information from people offline. So like when I walk into a convenience store in California, if they’re going to collect personal information from me, like asked me, uh, you know, like swipe my credit card which is collecting personal information from me or whatever, they have to post a notice of at least a link to their privacy policy. So, well, you’ll see when you walk into California stores and elsewhere in California, um you know, after january 1st is if they have a CCTV camera, you’re going to see a notice posted prominently that says for more information about our privacy practices, you know, go to, you know, x company dot com slash privacy, um and we collect um, you know CCTV images for fraud prevention and security purposes. So they’ll talk about what they collect what they do with it and where to find more information. So it’s going to require companies to post a bunch of sort of physical notices in their store when they’re collecting personal information from individuals. Crazy.

[00:29:55] Evan Francen: So who does, who does CCP A apply to? Like I’m we’re a small company here in Minnesota and not small. I mean 80 ish employees with, you know, good revenue, but we’re not, we don’t deal in personally identifiable information. You know, we don’t sell it, we don’t, you know, we’re not that kind of company. Yeah. Yeah.

[00:30:20] Justin Webb: I think the the threshold requirements and these are really important. I think um a lot of people haven’t taken the time to sort of do them, they automatically assume ccPOa applies to them. Um And when we deal with clients um we’ve had some that come in and say, hey we need to comply with CCP A um and we take a step back and say okay before we even go into like the requirements of the law, let’s talk about whether or not this thing even applies to you because the first line of defense right, is to say we don’t even meet the requirements. So let’s not even worry about it. So the requirements are you either have 25 million in revenue Um or you collect the personal information of um 50,000 People in California. Um and it’s 50,000 people um you know individuals households or devices. Um And so that that requirement has been interpreted um to mean um even sort of like information that we collect on your website, so it’s potentially Um possible that you could hit that 50,000 California resident or households or devices threshold. Um just by having a website that you know, drops cookies on um 50,000, you know uh individuals or devices. Um but There’s a little bit of nuance to that together is that you would be selling um uh personal information um of individuals in a in a certain amount. But the two main ones are 25 million revenue or um collecting you know uh 50,000 pieces of personal information um from individuals households or devices. And then the other requirements. So even if you have, you meet one of those two. The other requirement is that you um quote unquote, do business in California. Um And so um this is again sort of a amorphous requirement is not defined in the law which is pretty challenging. Um There hasn’t actually been guidance from the Attorney general on this point. Um But what it’s been generally interpreted to mean is that if you engage in commerce with California, so I have a website, somebody comes and orders a product for me and I ship it to California. That’s that may be enough, I’m depending on what attorney you talked to, but more importantly if you’re a company and you’re registered to do business in California. Um you’re probably gonna have a hard time arguing that you aren’t doing business in California. And so a lot of people have foreign jurisdiction registrations for their company because they might have to pay um sales tax in California for internet sales. Um And so um if you have physical employees in California you’re probably doing business in California, visual paying individuals. Um if you have sales agents and a lot of that is kind of similar to um interpreting GDP are and whether or not you it applies to you even though you’re not a United States company. Um But I would encourage um you know, we want to go through like a fulsome analysis with clients about whether or not the law applies and so it also doesn’t apply to non profits with some exceptions, so if you’re a nonprofit entity um you will most likely be exempt from the law. So you know there’s some some ways to get out of it, I guess is a good way of putting it. And so Uh if you’re under 25 million um you know, you have a pretty good shot of not being subject to it unless you hit this other sort of information collection threshold.

[00:34:04] Evan Francen: Alright, so to summarize uh for profit companies, $2025 million in revenue or more. And then it’s or not. And But it’s or 50,000 consumers devices, whatever personally identifiable records I guess. And then there’s another or which is, but you sell personally identifiable information. Right,

[00:34:33] Justin Webb: correct. Yeah. And and a certain amount of um personally identity. So it’s it’s actually that you derive 50% or more of your annual revenue from selling personal information. Um So if like half your business is selling personal information, that’s the other or um And and um so for most companies um and I guess it really depends on how broadly you interpret that term cell, which is sort of the you know, confusing portion of the law. But Most businesses aren’t going to hit that 50% threshold unless you’re like a data broker where you’re really sort of trafficking in um personal information. Um I mean that sounds like drugs. Um But you know you you you handle a lot of personal information and sell it. Um So those are the main requirements.

[00:35:29] Evan Francen: Okay, now California residents, right? Is this current residents, former residents Because I know like the massachusetts data protection law that was kind of a big thing because it was sort of if you ever lived in massachusetts, right? Is California worked with this one works kind of the same way.

[00:35:49] Justin Webb: Not not that I’m aware of. I mean it’s supposed to be California residents sort of period. Um And um so you know, and the other thing is um it gets a little hairy if you, let’s say you have a website and you’re like, you know, we don’t want to be subject to C. C. P. A. So we’re going to geo fence the website um and restrict anybody from California from actually engaging in commerce. We’re not going to ship anything to California to try and avoid the law. Um You still potentially could have people who are California residents who flew to new york um And are you know checking out Times Square and then engage in commerce with your website. And that’s still a California resident, right? Um I think you might have a pretty good argument that if you cut off all access to California um that you’re not doing business in California but you potentially could still collect information of California residents. Um And so part of the sort of challenges. Um you know you’ve got California residents um that are not just stationary in California, they move around. Um And one of the other sort of concepts in the law which I think is important. Um And and still hasn’t been flushed out is the law doesn’t apply to activity that happens wholly outside of California. Um I don’t think anybody really knows fully what that means but the way that I sort of interpreted is it, you know you’re you’re doing you’re collecting information from people and generally um engaging with them like let’s say I’m I’m a Wisconsin Gas station and I meet the $25 million dollars threshold. Um And um but you know and maybe I do business in California with my website or something like that but somebody from California walks into my gas station um uh you know in Wisconsin and I collect their personal information that’s all happening holy outside of Wisconsin. Um And so the argument would be that CCP A. Does not apply like I don’t need to post signs in my gas station in Wisconsin about CCP A rights if I’m physically present outside the state. Um But the law is not holy clear on this point. Um And so that may be another way to sort of get out of part of the CCP requirements. And the bottom line for all of this stuff is just like with G. D. P. R. Where you know it went into effect on May 25th 2018 and a lot of companies took the wait and see approach which is let’s wait and see what happens and then determine sort of how scared we should be by the enforcement actions. Um That’s absolutely the case here. Um You know we’re not gonna know how broadly um And how um you know um forceful the unfortunate will be on this until we see the California Attorney General actually enforce it.

[00:38:45] Brad Nigh: Yeah it’s gonna be interesting on like I. P. S. Or phone information right? Because I’m a Minnesota resident and my phone number is not Minnesota based because people move around and keep your phone number, how do you ensure right or VPNS right when

[00:39:04] Evan Francen: you mentioned the wait and see approach, you know and so that would be, you know, let’s see what the consequences are going to be. So it’s a good segue into, what are the penalties for noncompliance? Are those well spelled out in the law?

[00:39:19] Justin Webb: Yeah, this is one area where it is clear. Um So um for for the privacy portions of the law, so like the most of the law is focused on privacy but there are some additional provisions that talk about data breaches. Um and mostly that relates to um fines or potential statutory penalties, I should say for for that. But if you if you don’t post like um uh CCP a compliant privacy notice or you don’t provide individuals with the data subject rights or do some of the other things in the law, then the attorney general is the only person Or a governmental entity that can come after you and the fines are $2500 per violation. Um if it’s sort of a negligent violation and then it’s $7500 for violation if it’s sort of a willful, which means like you knew what the law was and you decided um I’m not going to do it right. So you sort of had knowledge of it and you intentionally didn’t comply with the law but Um it’s not as if the attorney general can just come and sort of find you, there’s also a 30 day period to cure. So theoretically the attorney would come to you and say hey you’re not doing these things and you would have 30 days to fix that And if you didn’t fix it within the 30 days then they could find me for the money. But it’s not clear exactly how um that’s all going to work in practice. But I think the larger point is that there isn’t any private cause of action. So at least on that front so nobody can come in and sue you. Like a consumer couldn’t file An individual or class action lawsuit against you um under the 2570 500 portion of it.

[00:41:09] Evan Francen: So that that almost seems to reinforce the wait and see approach, doesn’t

[00:41:14] Justin Webb: it? It does. I think it does. Um the question is you know, if I just completely ignore the law right? And then the attorney general comes and says, hey you haven’t approached their privacy notice. Um and you haven’t allowed people to exercise your data subject rights. Does that wash you know, and they give me 30 days to cure that and I fix everything. Does that wash away all of the violations of the law? So like the failure to provide people their information to post a privacy notice to have certain provisions in my agreements with service providers, it’s not clear. Um If that’s how it works, like it’s a total get out of jail free card um or you know whether there’s some other um finding that could be done in that area, but it does absolutely reinforce the wait and see approach

[00:42:02] Evan Francen: and it doesn’t seem, I mean per violation

[00:42:06] Brad Nigh: I mean is that

[00:42:07] Evan Francen: for instance you know per occurrence or per

[00:42:11] Brad Nigh: yeah we noticed you don’t have this policy, that’s one violation or All 50,000 people that you’re

[00:42:19] Evan Francen: collected

[00:42:20] Brad Nigh: On. Is that 50,000

[00:42:23] Justin Webb: That and that and you know if there if there are 12 requirements for your privacy notice um You know each one being you disclose these certain things are those each violation of the law. I’m sure you can make an argument that for each like sentence in the law, each provision that’s a violation. So I think that’s another sort of thing that’s unclear. One of the other sort of important points on this front is the Attorney general of California, as you know, one man um and then an office of attorneys right? But there are, you know, we’re talking about a regulation that potentially regulates companies across the United States um And so it’s not exactly going to be easy to enforce this everywhere in the land. Um And so the thinking is that the attorney general obviously is going to try and enforce this um in scenarios in which they’re trying to make examples um and trying to ensure sort of compliance with the law. But The other thing is that like, you know if you’re a small company um that just barely hits the $25 million dollars threshold, you may not be um You know the prototypical target of the attorney general two days after the law goes into effect. Er I should say two days after the enforcement deadline which is farther. Um So like the law goes into effect january 1st but the enforcement isn’t until the middle of the year um about six months later. So um the point being that you know that’s a lot of companies to try and police. Um And so we’ll see how that actually occurs. Um And I think it’s going to be an extreme challenge for the attorney general to um comprehensively police this.

[00:44:10] Brad Nigh: So maybe maybe the big name tech companies in Silicon Valley that are based there should be a little bit more concerned than the smaller ones.

[00:44:18] Justin Webb: Yeah and that would be consistent with um people’s opinions um Post G. D. P. R.

[00:44:25] Brad Nigh: That makes sense.

[00:44:27] Evan Francen: Yeah it does make sense.

[00:44:28] Justin Webb: So and and if and if you think about it in like a harm sense right? If you’re trying to prevent the most amount of harm you would be focused on companies are collecting the most amount of information.

[00:44:40] Brad Nigh: Yeah it does. I mean it makes should

[00:44:42] Evan Francen: go to Equifax and Trans Union and.

[00:44:45] Justin Webb: Yeah so so the other the other portion of the penalties um is for data breaches. So California’s law has a requirement now that you use reasonable security measures to protect personal information. Um And the modification to the law is that there is now a private cause of action. Um So somebody can sue you if you have a data beach data breach. Excuse me. Um And you um you failed to use reasonable security measures negligently and that caused the data breach. So the fear for a lot of people isn’t even really the privacy portion of this law but in terms of like pocketbook um if every time you have a data breach somebody’s going to sue you and argue that you failed to use reasonable security measures negligently And the fine is $100 between $100 and $750 um per individual. Um uh So you can imagine like an Equifax breach having a significant amount of damages and and those are I shouldn’t say fine, I keep using that word, that’s wrong, it’s statutory damages which means the damages that are permitted per individual. So if I was a single person and I sued the company for a data breach I could get up to $7750 or if my actual damages are higher than that I could get my actual damages. Um So like what I actually sort of was hurt or you know the effect on me but the fear isn’t you know individuals suing under this, it’s a class action lawsuit in which you get sued every time you have a data breach and um you know there’s a statutory finds that are extremely hefty. Um And any time you have a statutory um you know recovery provisions in there. I said fine again I shouldn’t have done that. Um Every time you have a statutory recovery provisions which provides certain amounts um it’s very attractive to plaintiff’s attorneys who want to maximize the amount of recovery because it’s not worth it To sue for one individual because the legal fees will probably more than you know what you recover the $750. But if you do that for a million people um then you hit the jackpot um and you are highly motivated to sue. And so I think the fear is. Um that this could potentially cost companies a lot of money. Um And nobody knows what the proof will look like um to prove these sort of negligently failed to use reasonable security measures.

[00:47:25] Brad Nigh: Well I would say not changing default passwords or things you know it was an admin and password. That’s pretty. But yeah it’ll be interesting

[00:47:34] Justin Webb: that that one would probably be a pretty opening case I think um you know like having unsecured wifi you know unless it’s like a public network or um you know um using a password you know like God G. O. D. Um probably wouldn’t get you very far. I think the other thing is that one of the interesting things about California is that the attorney general um um uh background as a kamala Harris um Said um here’s what reasonable security measures are they put out this sort of like a document that said to be um you know to have reasonable security measures in California. We interpreted that as complying with the center for Internet security, the C. I. S. Controls. Um And so there it’s the only state that I know of that is actually sort of and actually that’s not true now I think about it but it’s the only state that’s expressly stated one particular framework that you should adhere to to prove that you have reasonable security measures. So presumably in these lawsuits they’re just going to cite to this attorney general opinion um and documentation and go to the company and say look you didn’t use the C. I. S. You know, top 20 or whatever, I can’t remember exactly which C. I. S. Controls it refers to um and say you didn’t meet those and therefore you’re automatically not using reasonable security measures.

[00:48:58] Brad Nigh: Uh That’ll be uh that’ll be interesting. So uh it sounds like right now my my my opinion is not a lawyer is for organizations know what data you have no controls you have in place do some best practices and just wait and see.

[00:49:17] Justin Webb: Yeah I mean I think I think what we’ve told companies, you know sort of the high level are do some data mapping, you know know what information you collect and where who you provided to and and sort of make this analysis of whether or not you sell personal information um update your privacy notice um provide some place either an email address um an online web page or 1 800 number. You’re actually supposed to have two of those um in certain scenarios to allow people to exercise their rights. Um make sure you’ve got, you know, in addition to the privacy notice, these just in time um privacy um disclosures um you know train your employees and and do some work on your contracts to make sure they comply with CCP A. Those are sort of a high level requirements. Um but you know, everything starts with knowing what information you have because you can’t update your privacy notice to make all the disclosures required like the categories and information you collect if you don’t know what you’re collecting or you know what you use it for.

[00:50:25] Brad Nigh: Yeah, makes sense. So great discussion. Thank you Justin hopefully the listeners get some real value out of this. And quick housekeeping thing before we get into the news. Uh The quick reminder is the upcoming and new edition of the show starting after the first of the year. Gonna be devoting about 10 minutes to each show to anyone who’s looking for a job in the information security industry. You can email us at un security at proton mail dot com if you want your slot and we will be responding on a first come first served basis. And yeah, we’ve received uh several emails, which is really cool. So Uh if you’re chosen and the time works out, we’ll invite you on the show to learn about you. Think of it as a quick 10 minute interview. Uh no pressure for anyone who wants to do that.

[00:51:11] Evan Francen: Right. We’re going to give you some really challenging questions.

[00:51:15] Brad Nigh: Um So we’re gonna we’re working out the kinks between now and then and the but yeah, we’ll have a standard format to find and if you’re using it are you can’t talk if you’re looking for a job, use us to help you get the word out. So stay tuned. We’ll mention this a couple more times here and uh yeah, I think it’s gonna be interesting

[00:51:34] Evan Francen: fun. I’m excited to meet some new people and help them hopefully land a job.

[00:51:39] Brad Nigh: Yeah. Uh so lots of things this week, but just a couple of news stories. The first one is on info, security magazine dot com. Six customers affected by ransomware attack on Cyrus one. So The big thing here is a data center provider, one of the largest in America has become a victim of ransomware. So Cyrus one had a attack involving revival revival. How do you pronounce just called art, evil are evil or evil? I’m not gonna pronounce the one in parentheses because that’s going to be ugly.

[00:52:13] Evan Francen: So did I. So did not gonna be, Yeah,

[00:52:16] Justin Webb: thank you. That’s right.

[00:52:19] Brad Nigh: Uh this had attack had taken place on Wednesday customers of the new york data center uh suffered loss of service. So uh six of the customers, we’re had availability issues. It’s uh not not good. No, I think we’re seeing it more and more. All right. They’re attacking uh managed service providers, data centers. And I know we had a couple of calls from data center or MSP s that had some issues and had failures of basic things about like, you know, segmentation and things like that.

[00:52:58] Evan Francen: Well, in the uh you know, and to give Cyrus one, you know, some some credit, they do have, you know, thousands of data centers all across the country and uh not thousands of data centers, thousands of customers uh in data centers across the country. So six, you know, in context, it may not be that significant. Uh And it appears as though they responded really quickly. So, you know, it’s sort of Kudos to Cyrus one because it’s not you are going to get hit. It’s just a matter of time. And then it’s what are you going to do to respond to it? Do not pay ransoms, Make sure you have those backups, make sure their air gap, make sure you can recover. And it sounds like Cyrus one. Did that, so. Yeah.

[00:53:40] Justin Webb: Yeah. Yeah. I mean, we we keep seeing um you know, supply chain attacks are just crazy. Um you know, that, you know, the motivation of Attackers is let’s get the service provider because we’re gonna hit a ton of customers. Um you know, we get 40, you know, for one. Um and that’s happened to a lot of sort of medical um software providers um in the Wisconsin area recently, one involving dental practices. And as a matter of fact I think I just posted something else about another sort of um dental software provider who was hit. Um and then another one that sort of helped nursing homes with software. And so um it was my understanding at least from the article that um they’re having problems sort of dispensing medication. Um and doing sort of other things that are required of nursing homes because this sort of software was required to do that. So um you know, I think people always think that you know these kind of things can take down businesses but they can also have an effect on your health. It’s not just people sort of hacking health related devices, you know, pacemaker stuff like that for really cool def con presentations. Um But um you know, also um potentially affecting people’s real world lives.

[00:55:04] Brad Nigh: Yeah, that’s uh that’s gonna be interesting. Yeah exactly. The next one is china fires up great cannon denial of service blaster on the register dot c o dot U K. Pretty much as they, you know, dDOS tool um uh from a state sponsored, so you know, not a whole lot you can do on that one. Just interesting to read I thought, and then Last one is a uh on hackery.com new privacy tool exposes which website leaves your data unprotected. Um and you know, interesting I think it’s a very interesting concept and I’ll be honest, I have not read all the details behind it and what they collect and what the process is, but you know, basically it’s going to tell you using a chrome extension, what the website collects and what what they’re doing about you. So that that would be one to keep an eye on. So, uh that’s a that’s it episode 57 is a wrap. Thank you Justin for joining us and uh, sharing your perspective again.

[00:56:15] Justin Webb: Yeah, thanks, thanks for inviting me back. I’m very thankful to have been the two part yet. So this has been great guys.

[00:56:24] Brad Nigh: All right, so we got another great show plan next week but we can’t let the cat out of the bag yet. Thank you to our listeners. Keep the questions and feedback coming. Send us I’m sorry, send things to us by email. Reading is very hard this morning for me because you couldn’t tell uh send us email at unsecurity@protonmail.com. If you’re the social type socialize this with the on twitter. I’m @BradNigh and Evan is @EvanFrancen and if you’d like to get in touch with Justin you can find them on, linkedin. Lastly be sure to follow @StudioSecurity and @FRSecure for more goodies. That is it. And we will talk to you all again next week.