WebProNews

Tag: CCPA

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Virginia Following California’s Example With Privacy Law

    Virginia Following California’s Example With Privacy Law

    Virginia is poised to join California in enacting comprehensive privacy legislation to protect its citizens.

    Unlike the EU, the US does not have national privacy legislation. As a result, California was the first state to pass such legislation to protect its own citizens. The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. An updated California Privacy Rights Act (CPRA) was approved by voters on November 3, 2020 and goes into effect January 1, 2023. The CPRA builds on the CCPA, adding additional protections.

    Virginia is now on the verge of passing its own privacy legislation, according to Reuters. The Virginia Senate has passed a version of the bill, following the Virginia House’s passage of its own bill a week earlier. The next step is for legislators to reconcile the two bills and pass the reconciled version, which shouldn’t pose a problem since the two bills are almost identical. Once the governor signs the bill into law, it will go into effect January 1, 2023.

    Another state privacy law will further complicate things for companies that will have to abide by multiple state laws. Some companies were already applying the CCPA to all US customers and may decide to do the same with Virginia’s law, should it go into effect.

    Either way, if Virginia passes its own privacy legislation, it will increase pressure on the US government to pass comprehensive federal privacy legislation.

  • FTC Demands Answers From Big Tech on Privacy

    FTC Demands Answers From Big Tech on Privacy

    The Federal Trade Commission (FTC) has issued orders to nine social media and video platforms, inquiring about their data practices.

    Big Tech is under more scrutiny than ever before, and privacy is a big focal point. Data breaches and mishandling of consumer data in recent years has resulted in individuals and officials being more privacy-conscious. As a result, there have been some instances of groundbreaking legislations, such as the EU’s GDPR and California’s CCPA/CPRA.

    It appears the FTC is increasing its own scrutiny of companies’ data practices, with an order to “Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC.”

    The FTC is specifically looking to understand how these platforms “collect, use, track, estimate, or derive personal and demographic information.” In addition, the FTC wants to know how these platforms determine which ads and content are shown to users, how they handle user engagement and how children and teens are impacted.

    Some companies, such as Apple, Microsoft and Mozilla, have taken strong stands on privacy. The platforms covered by the FTC’s order, however, have based much of their business on collecting user information. In many cases, there has been a lack of transparency about what data is collected and how it is used.

    Hopefully the FTC’s inquiry is the first step toward stronger data protections for consumers.

  • California Voters Pass Version 2.0 of the CCPA Privacy Legislation

    California Voters Pass Version 2.0 of the CCPA Privacy Legislation

    California voters passed Proposition 24, widely considered to be version 2.0 of the California Consumer Privacy Act (CCPA).

    The CCPA was a ground-breaking piece of legislation for the US, the first of its kind to so vigorously protect the privacy of consumers. In many ways, the CCPA was the American equivalent of the EU’s GDPR. Although the law was unique to California, some industry leaders vowed to apply its protections to all customers, even those outside of California.

    Proposition 24, officially known as the California Privacy Rights Act (CPRA), picks up where the CCPA left off, expanding the CCPA, closing loopholes and increasing protections even more.

    One of the biggest changes is the creation of a new agency that will oversee the enforcement of the regulation. Another change is that the CPRA makes companies collecting data responsible for what any companies they share that data with do with it.

    In addition, the CRPA differentiates between personally identifiable information and sensitive personally identifiable information, such as Social Security number, logins, precise location data and biometrics. This gives companies more options to fine-tune their marketing to use non-personal information, rather than lose access all-together.

    The legislation includes many other improvements, including more opt-in requirements, limits on how long companies may retain personal information, limits to how sensitive personal information may be used, reasonable expectations data will be kept secure, legal options if companies fail to do so and more.

    It’s a safe bet these increased measures and a dedicated enforcement agency will likely increase the CRPA’s reach even more than the CCPA’s. Since companies will be responsible for how third-party partners—including non-California partners—use data, many more companies will likely opt to apply CRPA protections to all of their customers in the interest of simplicity.

  • California Begins Enforcing New Privacy Law

    California Begins Enforcing New Privacy Law

    Following a six month grace period, California has begun enforcing its new privacy regulation, effective July 1.

    The California Consumer Protection Act (CCPA) was signed into law on January 1. Similar to the EU’s GDPR, the CCPA is a robust set of laws designed to protect individual privacy and give consumers more control over the data companies collect about them. Companies were given a six month grace period before enforcement began, but that grace period ended on June 30.

    The CCPA likely impacts more companies than many realize. It directly applies to companies that do $25 million in annual revenue, companies that derive at least half of their revenue from selling their customers’ data or companies that collect data on at least 50,000 individuals.

    Potential penalties are high enough to ensure compliance. Non-intentional violations could cost as much as $2,500 per incident, while intentional violations could cost as much as $7,500.

    While many companies have struggled to be ready for the new law, privacy advocates have praised it for protecting the interests of consumers.

  • Mozilla’s Firefox VPN Now Available In Beta

    Mozilla’s Firefox VPN Now Available In Beta

    Mozilla’s standalone Firefox VPN service has entered beta and is available for Windows, Android and Chromebooks.

    Mozilla has emerged as one of the staunchest privacy advocates in corporate America, coming out in favor of the California Consumer Privacy Act (CCPA), vowing to extend its protections to all Firefox users. Similarly, Mozilla extended the protections offered by the EU’s GDPR to all users as well.

    Given its strong focus on privacy, it’s not surprising Mozilla has opted to offer VPN software. VPNs are critical components for journalists and political dissidents around the world, not to mention corporate use and anyone concerned with privacy.

    Mozilla is offering two varieties: one as a free browser extension and the other as a standalone service for $4.99/mo. The latter is what is now available in beta. Mozilla touts servers in 30+ countries and no browser or network monitoring or logging. The service can be used on five devices under a single account.

    The beta is currently available for Windows 10, Android and Chromebooks, with macOS, iOS and Linux coming soon.

  • Senator Kirsten Gillibrand: ‘The U.S. Needs a Data Protection Agency’

    Senator Kirsten Gillibrand: ‘The U.S. Needs a Data Protection Agency’

    Senator Kirsten Gillibrand is introducing new legislation to create a Data Protection Agency.

    Senator Gillibrand makes the case that people have untold amounts of data about them scattered across the internet. Even worse, much of that data was collected without consent or, at the very least, without users knowingly agreeing to it being collected. In the digital age, that data represents a gold mine for countless companies who profit from it.

    “I believe that this needs to be fixed, and that you deserve to be in control of your own data,” writes Gillibrand. “You have the right to know if companies are using your information for profit. You need a way to protect yourself, and you deserve a place that will look out for you.”

    Specifically, the legislation Gillibrand is introducing, The Data Protection Act, would “establish an independent federal agency, the Data Protection Agency, that would serve as a ‘referee’ to define, arbitrate, and enforce rules to defend the protection of our personal data.”

    The agency would focus on returning control of their data to Americans, support innovation while ensuring fair competition and help advise Congress of digital threats as they emerge, making sure the government is educated and prepared to meet those threats.

    Gillibrand’s announcement comes amid a growing focus on privacy. Salesforce co-CEO Keith Block recently said the U.S. needed a national privacy law; the California Consumer Privacy Act (CCPA) became law January 1; and Clearview AI has gained infamy as the company “that can end privacy.”

    It remains to be seen if Gillibrand will have the necessary support to pass The Data Protection Act, but it definitely will be welcomed in many circles as a step in the right direction.

  • Salesforce Co-CEO Says U.S. Needs National Privacy Law

    Salesforce Co-CEO Says U.S. Needs National Privacy Law

    Salesforce co-CEO Keith Block has come out in favor of a national privacy law, according to CNBC.

    Privacy is becoming one of the biggest battlegrounds for companies, governments and individuals alike. The U.S., however, does not have a comprehensive privacy law to outline what companies can and cannot do with individual data, or what rights individuals have to protect their privacy.

    In contrast, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect in 2018 and provides comprehensive privacy protections and gives consumers rights over their own data. Similarly, the California Consumer Privacy Act (CCPA) went into effect January 1, and provides similar protections. Although companies, such as Microsoft and Mozilla, have expanded GDPR and CCPA protections to all of their customers, there are far more companies that have not, and have no intention of doing so.

    At a panel discussion at the World Economic Forum (WEF), Keith Block said the U.S. needs its own version of the GDPR.

    “You have to applaud, for example, the European Union for coming up with GDPR and hopefully there will be a GDPR 2.0,” said Block.

    “There is no question there needs to be some sort of regulation in the United States. It would be terrific if we had a national data privacy law; instead we have privacy by zipcode, which is not a good outcome,” he said.

    As the issue continues to impact individuals and organizations, it will be interesting to see if the U.S. follow’s the EU’s lead.

  • Advertisers Balk At Google’s Plan To Kill Third-Party Cookies

    Advertisers Balk At Google’s Plan To Kill Third-Party Cookies

    In what is a surprise to no one, advertisers are begging Google not to kill third-party cookies in Chrome, according to CNBC.

    Google announced earlier this week its plans to phase out third-party cookies within two years. The company is trying to improve user privacy, while at the same time addressing the needs of advertisers, something it does not believe other browser makers do. While Apple’s Safari and Mozilla’s Firefox both include the ability to block third-party cookies, Google believes those solutions leave advertisers in the cold and encourage them to use more drastic and invasive methods to track users and make money.

    In their post announcing the plans, Google was light on details, promising to continue working with the web and advertising community to deliver a solution that was beneficial to all parties. That doesn’t seem to be enough for advertisers, however, as Dan Jaffe, EVP of government relations at the Association of National Advertisers, and Dick O’Brien, EVP of government relations at the American Association of Advertising Agencies, issued a statement protesting Google’s decision.

    According CNBC, the statement said Google’s plans“may choke off the economic oxygen from advertising that startups and emerging companies need to survive.”

    The advertising groups acknowledged Google’s efforts to implement an alternative to the current cookie-based methods, but urged caution so as not to disrupt the web’s ecosystem with a half-baked solution.

    “In the interim, we strongly urge Google to publicly and quickly commit to not imposing this moratorium on third party cookies until effective and meaningful alternatives are available,” the statement said.

    As CNBC highlights, these same groups have expressed opposition to California’s CCPA privacy law, so it should be no surprise they aren’t happy with anything that impedes their ability to advertise—not even in the name of protecting user privacy.

  • Verizon Launches OneSearch, A Privacy-Focused Search Engine

    Verizon Launches OneSearch, A Privacy-Focused Search Engine

    Verizon has announced the launch of OneSearch, a brand-new search engine focused on privacy, according to a press release.

    Privacy is increasingly becoming a major factor for tech companies, governments and users alike. The European Union’s Genera Data Protection Regulation (GDPR) privacy law went into effect in 2018. As of January 1, 2020, California implemented the California Consumer Privacy Act (CCPR), the most comprehensive privacy law in the U.S. The increased regulation, not to mention increasing consumer demand, has created both challenges and opportunities for tech companies.

    Verizon’s solution seems to be a search engine, powered by Bing, that caters toward privacy-conscious users. According to Verizon’s press release, “available for free today on desktop and mobile web at www.onesearch.com, OneSearch doesn’t track, store, or share personal or search data with advertisers, giving users greater control of their personal information in a search context. Businesses with an interest in security can partner with Verizon Media to integrate OneSearch into their privacy and security products, giving their customers another measure of control.”

    The search engine has additional advanced features, such as temporary link sharing. When Advanced Privacy Mode is enabled, any links to search results will expire in one hour.

    Users will still see ads when searching, but they will not be customized or based on the person’s search or browsing habits.

    “To allow for a free search engine experience, OneSearch is an ad-supported platform. Ads will be contextual, based on factors like search keywords, not cookies or browsing history. For example, if someone searches for ‘flights to Paris,’ they may see ads for travel booking sites or airlines that travel to Paris.”

    OneSearch does use some personal information. For example, a person’s IP address does provide general location information that can be used to provide location-specific results. Personal data is obfuscated and is never shared with search partners.

    While it is always nice to see tech giants embrace privacy, it’s hard to see the benefits of OneSearch over DuckDuckGo. DuckDuckGo has a long-standing track record of providing private search. As CNET points out, the move is also interesting coming from Verizon Media, the branch of the telecommunications company “that runs an extensive ad network with more than 70,000 web publishers and apps as customers. While the search engine aims to attract users by turning on privacy features by default, OneSearch will also let Verizon Media hone its ad-matching powers on a search engine it owns. (Verizon also owns the Yahoo search engine.)”

    It will be interesting to see what becomes of OneSearch and if it lives up to its promise of respecting people’s privacy. In the meantime, most users will probably be better off using DuckDuckGo.

  • Mozilla Bringing California Privacy Protections To All Firefox Users

    Mozilla Bringing California Privacy Protections To All Firefox Users

    The California Consumer Privacy Act (CCPA) went into effect on January 1, but Mozilla has vowed to apply its protections to all Firefox users in 2020.

    CCPA is a law California passed to protect user privacy and give people more control over how corporations can use their data. CCPA requires companies to be transparent about what data they collect and how they use it, as well as give users the ability to stop companies from selling their data.

    Microsoft was one of the first companies to publicly commit to applying CCPA protection to all of its U.S. customers. Mozilla is taking it a step further, applying CCPA rights to all Firefox users around the world. This is not the first time Mozilla has taken this stand. When the EU passed its GDPR privacy legislation, Mozilla similarly extended those protections to all users.

    Mozilla is also committing to extending these rules to so-called “telemetry data,” the anonymous technical information about browser usage that helps Mozilla improve security and performance.

    “One of CCPA’s key new provisions is its expanded definition of ‘personal data’ under CCPA. This expanded definition allows for users to request companies delete their user specific data.

    “As a rule, Firefox already collects very little of your data. In fact, most of what we receive is to help us improve the performance and security of Firefox. We call this telemetry data. This telemetry doesn’t tell us about the websites you visit or searches you do; we just know general information, like a Firefox user had a certain amount of tabs opened and how long their session was. We don’t collect telemetry in private browsing mode and we’ve always given people easy options to disable telemetry in Firefox. And because we’ve long believed that data should not be stored forever, we have strict limits on how long we keep telemetry data.

    “We’ve decided to go the extra mile and expand user deletion rights to include deleting this telemetry data stored in our systems. To date, the industry has not typically considered telemetry data ‘personal data’ because it isn’t identifiable to a specific person, but we feel strongly that taking this step is the right one for people and the ecosystem.”

    This is good news for all Firefox users and will likely help it continue to gain market share amongst privacy-minded individuals. Hopefully more companies will follow Mozilla and Microsoft’s example.

  • Twitter Making Changes Globally to Comply With Privacy Laws

    Twitter Making Changes Globally to Comply With Privacy Laws

    Reuters is reporting that Twitter is making changes throughout its platform in an effort to comply with privacy legislation around the world.

    The company is aiming to navigate the different laws and jurisdictions impacting how it collects and uses data. The European Union (EU) passed the General Data Protection Regulation (GDPR) last year, one of the most sweeping privacy protection laws in existence. California has its own legislation, the California Consumer Privacy Act (CCPA), going into effect January 1, 2020.

    Twitter is planning on moving accounts for users outside the EU and the U.S. “which were previously contracted by Twitter International Company in Dublin, Ireland, to the San Francisco-based Twitter Inc.” This will allow the company to experiment with different privacy features—figuring out what works and what doesn’t—without worrying about infringing on the GDPR.

    “We want to be able to experiment without immediately running afoul of the GDPR provisions,” Damien Kieran, Twitter’s data protection officer, told Reuters in a phone interview. “The goal is to learn from those experiments and then to provide those same experiences to people all around the world.

    Coinciding with these changes, the company has unveiled a new site, the Twitter Privacy Center, in an effort to keep users informed about Twitter’s privacy efforts, as well as give them more control over their data.

  • Microsoft Vows to Abide by California Privacy Laws Throughout the U.S.

    Microsoft Vows to Abide by California Privacy Laws Throughout the U.S.

    Privacy has become the new tech battleground, with companies like Google and Facebook seeking to profit from user data, while Apple and Microsoft have consistently come in on the side of protecting user privacy. Now, Microsoft has taken it a step further, embracing the most comprehensive set of privacy laws in the United States.

    The California Consumer Privacy Act (CCPA) goes into effect on Jan. 1, 2020. CCPA is designed to protect user privacy and give individuals more control over how their data is used by corporations. The law requires companies to be transparent about the data they collect, how it’s used and give people the ability to prevent companies from selling their personal information. Microsoft makes it clear in a recent blog post that they are strong supporters of this approach.

    “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

    “We continue to put these principles into practice every day through ongoing investments in tools that give people greater control over their personal information. More than 25 million people around the world – including over 10 million people in the U.S. – have used our privacy dashboard to understand and control their personal data. By being transparent about the data we collect and how we use it, and by providing solutions that empower businesses to safeguard personal data and comply with privacy laws, we can demonstrate our commitment in the absence of Congressional action.”

    Microsoft is also committed to helping other companies abide by CCPA.

    “In addition, we are working closely with our enterprise customers to help them comply with CCPA. Our goal is to help our customers understand how California’s new law affects their operations and provide the tools and guidance they will need to meet its requirements.”

    Hopefully, Microsoft’s example will encourage other companies to take a stronger stance on protecting consumer privacy.