Preparing for CCPA

CCPA LogoThe California Consumer Privacy Act of 2018 or CCPA, has been enacted in California. Even if your business is not in California, your business data and data collection policies may be greatly affected.  The law is similar to GDPR in Europe, but it also has some very specific differences that companies need to be aware of.  

First, what companies are required to follow the CCPA:

  • Companies who have total annual revenue in excess of twenty-five million dollars ($25,000,000). 
  • Companies that in aggregate annually buy, sell, trade, or receives/shares personal consumer information from 50,000 or more Califonia consumers.    
  • Companies that derive 50% or more of their total annual revenue from selling California consumers' personal information

If your company falls under this scopethen you need to read on and be ready to make changes to your data collection and retention. There are legal and technical structures you need to put in place to be able to comply with the CCPA. 

From the consumer perspective, the following are the key rights given to consumers under the law. Consumers have the right to access the information collected about them by businesses. The right to deletion is offered to customers who want their information removed permanently from company records. New requirements for Opt Out and Website Requirements including a "Do Not Sell My Personal Information" links. Last but certainly not least, is that there are new rights for Privacy Policy Requirements.

This summary provided by the International Risk Mangement Institue is very clear. PWC published this comparison between GDPR and CCPA.

From a technical perspective, you will need to work with your database consultants on your CRM and web databases to meet the requirements.  For example, from your systems can you pull all data about a specific contact to respond to a request? Can you delete all the information about a contact? All this and more are required and will need to be built out and attested to.

If you look at the Independent Business Obligations section of this whitepaper, you will see some great work by Perkins Coie on what is required technically and legally to comply with CCPA.

The definitions in the CCPA are very broad. There is going to need to be clarifications made to the law either by State regulators or through the courts.  Denver DataMan is keeping up with the new law and the changes around it so that we understand the specific requirements as best as possible. We want to have a holistic understanding of all parts of the CCPA so we can best advise our clients.  

DDM Can Help

We are here to help companies understand and model their data.  We have partners like business lawyers who can help with the legal end of CCPA compliance. 

1You can get more detailed information on your status for this law by using the CCPA Diagnostic Tool provided by Perkins Coie. 

This is not a legal opinion or legal advice. For legal advice on the specifics of how this law pertains to you and your company make sure to contact your attorney.  


Related Service

First Thoughts on 2018 Updates to the Colorado Data Protection Law

Data Security IconColorado has had data privacy laws for many years.  This year the Colorado legislator took up enhancements to these laws in House Bill 18-1128. The act was signed into law on May 29, 2018, by Governor Hickenlooper.   The crux of the law is that all companies in Colorado with data about Colorado residents have a responsibility to protect the data about Colorado residents.  The biggest change is that if there is a breach of data a company only has 45 days to report the data loss to the people it affects.  

The definition of "personal identifying information" or PII is what you would expect. 

PII includes, " [a] social security  number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data, AS DEFINED IN SECTION 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device."

The law applies to any organization, for-profit or not-for-profit that collects data or processes the data. The law requires keeping "reasonable security procedures." Denver DataMan already works with our customers to put in places security procedures and we will be making sure that these procedures meet the standards that the law requires which we believe it will, knowing all along that security is a constantly evolving landscape. 

The law does make clear that there are different expectations depending on the size of the company the type of the data that is being kept. For example,  a  company that has a blog that lets users log on with usernames and passwords has a different level of expectations for security than a small insurance office keeping social security numbers.  

It is the responsibility of the company who chooses a third party such as Denver DataMan to make sure that the company is keeping the data security when it is in their possession. Denver DataMan has always taken this very seriously and has a strict protocol for working with customer data.  Any vendor you work with and provide your customer data to should have these types of procedures in place. 

The law provides very clear guidance on the type of notice that must be given and how notice must be provided in the event that there is a security breach. 

State Seal The Attorney General's office not only has the ability to help collect economic damages. It also has been granted the authority to investigate and prosecute criminal violations of this law.  

The law will go into effect on the 1st of September 2018.    


This is not a legal opinion. For legal advice on the specifics of how this law pertains to you and your company make sure to contact your attorney.  

GDPR Be a Comig 'Round the Mountain

GDPR is the European Union's General Data Protection Regulation and it has impacts for many businesses that collect data from citizens of the EU.  The enforcement of GDPR starts 25 May 2018 or May 25, 2018, for us Americans.  

Train Icon for GDPRThe goal of GDPR is to provide substantially greater security and transparency for personal data collected from EU Citizens.  The Internet is overflowing with information on GDPR and luckily there are many companies like Denver DataMan that can help you with a strategy for data collection, security, and monitoring. 

What Must be Done?

Consent must be given for the use of data and for how the data can be used.  This includes if data can be shared with others and how it can be shared.  In GDPR parlance the person the data belongs to is the data controller. 

Breach Notification must be completed within 72 hours of first having become aware of the breach. Data processors  (those that process but do not necessarily store data) will also be required to notify their customers, “without undue delay” after first becoming aware of a data breach. 

The Controller has the Right to Access their data and get a copy of their personal data, free of charge, in an electronic format. This is similar to rights afforded to US citizens under the HIPAA law.  The data must also be designed for Data Portability so that citizens may get the data in an electronic usable format that can be reasonably transferred to another place or service.  

The Right to be Forgotten is a more controversial issue.  It is the right to demand of a company to delete your data.   

Privacy must be built into the systems by design.  Privacy by design means that from the start of implementing a system development and business decisions are made for the benefit of the data owners rather than just for the needs of the business working with the data.  

Who Must Comply?

You must comply with GDPR if actively collecting data from European Citizens.  In general,l this means that you are advertising to people in the EU or otherwise making your product or service enticing to people in the EU.  Talk to your legal counsel,  but from our understanding, if you sell shoes online and someone in the EU buys your shoes their data is not covered by GDPR.  However,  if you sell "Dutch Clogs" and you have a .nl domain or you have text in Dutch,  or your site is specifically set up for Dutch addresses then the data you collect is most probably covered by GDPR.  This a great article on the topic.  

If you have offices in both the United States and the EU then you probably must comply. 

For those who must comply the penalties are very steep if you do not comply.  At the highest level of fines, it is 4% of annual global turnover or €20 Million (whichever is greater).

Many companies may choose to participate in the European Union (EU) and the United States Commerce Department Privacy Shield. The Privacy Shield is an agreement between the United States and the Member Nations of the EU to handle data similarly in both the United States and the EU.  

DDM Can Help

We are here to help companies understand and model their data.  We have partners like business lawyers who can help with the legal end of GDPR compliance.  

Blog Tags

Have all the Breaches Breached the Public Trust

You do not have to look far to see examples of data breaches where data on the Internet is exfiltrated. Just last week Under Armour admitted to a large attack and as I am writing this, details are coming out about an attack on Saks Fifth Avenue, Lord & Taylor stores. And who can forget the Equifax breach?  

If you are reading this blog, you probably work with data.  You probably are working with data that people trust you to secure. For example data like names, addresses, phone numbers, credit cards, social security numbers, health data, and more.  My hope would be that you take efforts to do this responsibly. Not everyone does.  

Here is the bigger challenge, even if you are taking precautions to manage data securely it might not be enough. There are many ways that bad actors enter networks or intercept data in order to access data that they do not have the rights to access. In this blog, I am not going to write about how to secure a network or a database. I want to write about if it is time for the government to regulate our use of personal data similar to the way it is being done in Europe, and how this affects the readers of this blog post. 

Trust IconI think we can all agree, that unless someones lives in the woods, without power or running water, it is impossible not to share your personal information with companies. This to me means that we have to accept that sharing data with companies is inevitable and therefore companies need to be bound to taking responsible care of personal data.   

A clear definition of personal information needs to be made. We need a reasonable standard of what personal information is and how a person can give permission to share that information.  For example, are both my first and last name private in all cases?  This is a very large task and one that needs to involve industry, consumer groups, the government, and very importantly IT experts.

We can look to European Union's General Data Protection Regulation but it would be a mistake to copy it outright.  We need something that fits the United States and what makes sense for the United States.   

States are considering action and we do not want this to happen on a state level. Imagine if an e-commerce store had to have different data storage standards for each state. You might even have to have multiple websites.  New Mexico could say that the data for residents of New Mexico must reside in the State.  

As a consumer who wants to know that there are standards for how my data is being protected a set of laws is important to me. As a business owner, I know that standards like these can be expensive to implement but are generally important.  As an IT expert, I know that change is a constant and I offer up any help I can be in crafting legislation on how we keep the personal data of US citizens safe.  

My idea to write this blog comes from the guest blog on VentureBeat by  Derek Weeks titled It’s time to regulate: The U.S. must make software companies liable for breaches

The opinions expressed in this blog are just that.  They are based on research and not with additional knowledge of any forthcoming laws in Colorado, the United States or other parts of the world.   I am not an attorney either so add a couple grains of salt for that as well.   

Subscribe to Security