See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
On July 1st, 2020 enforcement of The California Consumer Privacy Act (CCPA) officially came into effect. Similar to the European Union’s General Data Protection Regulation (GDPR), CCPA is California’s answer to personal data protection – regulating how businesses across the globe are allowed to handle the personal information (PI) of California residents.
This means that California residents have the right to opt out of having their data sold to third parties, request disclosure of data already collected, and request deletion of data collected. As a part of this, corporations are required to respond promptly to consumer requests for information regarding their data.
Though they share overarching objectives, there are a number of differences between CCPA and GDPA, with a significant difference being in the way fines are decided on. CCPA fines for a breach can include a civil penalty of up to $7,500, and fines of anywhere from $100 to $700 per consumer.
Though these numbers may appear small in comparison with GDPR fines, companies managing high volumes of personal data (i.e. a larger company with thousands of consumers) are vulnerable to seeing these numbers multiplied significantly. CCPA also allows the individual consumer to file civil claims, giving individuals the ability to exercise their rights to privacy.
While some of the details of CCPA enforcement are still being ironed out, this article provides a summary of 9 key breaches so far and what we can learn from them.
In August 2021, Zoom Video Communications reached an $85 million settlement after a number of user privacy issues including those related to ‘Zoombombing’. Zoombombing involves outsiders hijacking Zoom meetings and posting disturbing content such as pornography, or using racist language. The lawsuit claimed that Zoom had violated users’ privacy rights by sharing personal data with Facebook, Google, and LinkedIn, and letting hackers ‘Zoombomb’ meetings.
As well as paying the sum, Zoom agreed to improve its security practices to comply with the CCPA, releasing a statement saying “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.”.
To comply with CCPA, an unnamed data broker added a “Do Not Sell My Personal Information” (DNSMPI) link to its homepage – but the link didn’t work.
The business also made users jump through a series of hoops (including providing government ID and proof of address) before being allowed to opt-out of the sale of personal information. Thirdly, customers were required to create an account in order to make a verifiable consumer request – including a CCPA request.
After being informed of these issues, the business updated its link, removed the barriers to opt out, and no longer requires the creation of an account to make a CCPA request.
In another case of DNSMPI wrongdoings, a company that partners with major corporations on digital strategies did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold.
In August 2021, T-Mobile USA Inc. was hit with two class-action lawsuits accusing the telecommunications company of violating the CCPA. It was alleged that ‘T-Mobile violated the CCPA and acted negligently by failing to protect consumer data from a recent data breach that exposed millions of customers’ records’.
The allegations came after T-Mobile had suffered a data breach that compromised the personal data, including names and phone numbers, of millions of customers.
It is thought that T-Mobile violated the CCPA by failing to prevent consumers’ non encrypted personally identifiable information from unauthorized access and exfiltration, theft, or disclosure. This is alleged to have stemmed from a failure to maintain reasonable security procedures to protect such information.
The company offered two years of free McAfee ID theft protection to all people who believe they may have been affected by the breach, but investigations are ongoing.
A business that sells electronics was accused of selling a bit more than just that. The company had third-party trackers on its website that shared data with advertisers about visitors’ online shopping habits. There was no service provider contractual relationship in place and consumers’ requests to opt out were not being processed.
To solve these issues the company worked with its privacy vendor to honor consumer opt-out requests and avoid selling personal information to third parties in violation of the CCPA.
Alongside other CCPA breaches, a business that operates an online classified advertisement platform did not display the required CCPA consumer rights or explicitly state whether or not it had sold personal information in the past year.
A social media app business was not responding to CCPA requests by consumers fast enough. The requests included consumers wanting to know and delete personal information – which users have a right to under the CCPA. Unfortunately, consumers were left unaware of whether their requests had been effectuated, or even received.
After notification by The Office of the Attorney General (OAG), the organization responded to the outstanding requests and updated its CCPA response system to improve its timeliness.
This made it difficult for an online ad-tech organization, which, though primarily a service provider, is a business in some contexts. The company’s service provider contracts also lacked the necessary restrictions on the use of processed personal information.
If there is one thing to learn from these breaches it is that doing the right thing is not enough. You need to tell your consumers what you are doing – transparently and in language that they understand.