Passing Prop 24
Businesses now have to listen to consumers on how they want their PII used
By Richard Kanadjian
By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Prop- osition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant data- privacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.
Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.
Furthermore, leaders of the proposi- tion said consumers would have more con- trol over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are sto- len or hacked. They added that when the residents of California passed this propo- sition, they made it harder for lobbyists to change the privacy laws in the Legislature.
Basically, Prop. 24 changed Califor- nia’s data-privacy law in these five mean- ingful ways:
• Businesses now have to listen to consum-
ers on how they want their personally
identifiable information (PII) used
• Permits consumers to correct inaccurate
personal information
• Businesses can only hold onto consum-
ers’ PII data for as long as it is necessary
• Companies can be fined up to $7,500 for violating children’s privacy rights by the
government
• A new state agency is created to enforce,
investigate and assess penalties related to privacy laws
It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the Euro- pean Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.
So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ per- sonal data, or you don’t fall under GDPR
regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.
Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable In- formation) as well as any other sensitive information, including your own day-to- day information vital to your operations.
Secure, protected data saves you po- tentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting per- sonal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.
All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?
The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reason- ably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique per- sonal identifier, online identifier, internet
protocol address, email address, account name, social security number, driver li- cense number, passport number, or other similar identifiers.
But that’s not all. An additional stipu- lation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, pass- port number, state identification card number, insurance policy number, educa- tion, employment, employment history, bank account number, credit card number, debit card number, or any other finan- cial information, medical information or health insurance information.
It did, however, exempt two areas: per- sonal health information and financial in- formation. Regarding personal health in- formation, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by finan- cial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.
It did not, however, consider publicly available information as personal.
In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.
In either case, the easiest, most effective
12
MARCH 2021 | SECURITY TODAY
CYBERSECURITY
Gorodenkoff/Shutterstock.com