The Impact of the CCPA on Small Businesses

With the new year coming up fast, businesses are all scrambling to begin implementing necessary changes before the California Consumer Privacy Act (CCPA) goes into effect. And as one might expect, this poses some unique difficulties for small business that don’t have the same resources as larger companies might.  

This month, the International Association of Privacy Professionals (IAPP) released the findings of a number of surveys they conducted with small and medium sized businesses about their preparation for the CCPA. The findings highlight the unique impact compliance with the CCPA is having on smaller businesses 

Here are some of the key findings:

Confusion is Universal

One interesting aspect of the survey was that confusion surrounding CCPA compliance was universal to both small and large businesses. However, small businesses expressed a specific lack of clarity regarding what employee data is covered, how the sale of data relates to basic advertising, and potential conflicts with existing regulations.   

Vendor Management

Another key concern for small businesses is how the CCPA will affect their use of vendors and third parties. Because they have a limited number of employees, small businesses are more likely to outsource some of their work onto third parties. And, according to the IAPP’s findings, small businesses are less likely to have specific programs in place to ensure vendors’ privacy policies meet their own standards and comply with regulations. The report found that while small businesses do generally include privacy clauses in vendor contracts, “they use privacy questionnaires and audits significantly less often than larger companies.”  

Lack of Automation

The survey also found that small businesses are less likely to have privacy-focused automation in place. Because the CCPA requires business to process consumers’ data access requests, processing these requests along with managing data inventories will likely become more of a burden for small businesses. Without the resources to automate these processes, small businesses fear that implementing and managing data access requests will require an overwhelming amount of time and energy.  

What’s more, lack of automation could make it easier for fraudulent data access requests to slip by, resulting in data breaches that would leave them in violation of the CCPA. This has already been an issue with the GDPR, and small business worry that they don’t have the tools necessary to effectively verify the identity of individuals requesting access to their data.  

While preparation for the CCPA is a top concern for businesses of all sizes, the IAPP’s findings show that small business are facing a number of unique challenges. When it comes to compliance, the CCPA holds all businesses to the same standard. And while this gives consumers greater assurance that their privacy is protected across the board, the impact this will have on small business is greater than what larger companies are experiencing.

Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1

As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.  

Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in Julya number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.  

In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information. 

Here is an overview of some of the changes that made it through: 

Non-discrimination 

While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”  

This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.  

Definition of Personal Information 

The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.  

This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.  

Employee Information is Exempt 

The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.  

 

While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year. 

iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”  

How Social Loneliness Could Effect Privacy Practices

Social media was designed to connect people. At least, that’s what those behind these sites never stop of telling us. They’re meant to create, as Mark Zuckerberg says, “a digital town square.” Yet, as it turns out, the effect social media has on us seems to actually be going in the opposite direction. Social media is making us less social. 

Last year a study by the University of Pittsburgh and West Virginia University was published showing links between social media use and depression. And now the same team has released new study that takes things a step further. The study found that not only does social media lead to depression, but actually increases the likelihood of social isolation. According to the study’s findings, for every 10% rise in negative experience on social media, there was a 13% increase in loneliness. And what’s more, they found that positive experiences online show no link to an increase in feelings of social connections.  

These two studies make clear what we may already feel: the form in which social media connects us ends up leaving us more isolated. And, as strange as it may sound, this could have a profound impact on how we view our privacy. At root, privacy involves the maintenance of a healthy self-identity. And this identity doesn’t form in a vacuum. Instead, it is shaped through our relationship to a community of people. 

So, to the extent social media is isolating, it is also desensitizing to our notions of ourselves and to the world which surrounds us. When we lose a sense of boundaries in relation to community then anything, including the value of  privacy, can go out the window.  

And this can turn into a vicious cycle: the lonelier you feel, the more you’re likely to seek validation on social media. Yet, the more you seek that validation, the more that sense of loneliness rears its head. And often seeking this type of social validation leads to privacy taking a back seat. Earlier we wrote about an increase in the success of romance scams, which is just one example of how a sense of loneliness can have the effect of corroding privacy practices.  

While these studies don’t exactly mean we should go off the grid, it’s clear that to understand and value ourselves, we need at times to detach from technology. And, from a business perspective, there are lessons to be learned here too. While technology can make communication more convenient, that shouldn’t translate to having every conversation through a digital platform. Pick up the phone. Have lunch with a customer. Talk to them instead of selling themHaving more personalized conversation will not only translate to stronger business relationships but may even have an effect on the value placed on privacy as well.  

Isn’t It Romantic

 

One of the interesting aspects of the internet age is not only the proliferating of online scams, but the fact that those scams create the basis for Reality TV. The prime example is catfishing: where a person creates fake social media accounts and uses this persona to build romantic relationships online. Not only have public figures fallen victim, capturing the attention of the media, but MTV even has a highly popular reality show on the subject.  

Perhaps because of the attention catfishing has gottenits often not taken very seriously. Andbesides the embarrassment of getting tricked, catfishing may appear to be relatively harmless. Well, as it turns out, this is far from the case. According to statistics from the Federal Trade Commision, romance scams have evolved into the most costly form of consumer fraud today.  

Of the 21,000 reports submitted to the FTC in 2018, victims of these scams lost a total of $143 million — a 23% increase from 2015. What’s more, the median individual loss from a romance scam is seven times higher than all other types of fraud.  

With statistics like that, catfishing might not be as entertaining as it used to seem.  

How They Work

While we assume catfishing usually starts on dating apps, scammers utilize many different social networking websitesIn fact, many report that the scams started with a Facebook message. But whatever the means, the scammer will use a photo often taken another person’s profile and build relationships online with unsuspecting victims. Romance scams can play out over months of even years in order to build up trust.  

Of course, the scam can only work as long as they never actually meet in public. Scammers will therefore often claim to be living abroad or serving in the military. This even helps to eventually convince the victim to send them money, claiming they need the money travel back to the states to meet. In other cases, the scammer will play on the victim’s sense of decency by claiming they are in urgent need of help to pay medical bills.  

However, a new trend seems to be emerging. In August, the FBI released a statement warning that romance scams are now starting to use victims as unknowing ‘money mules.’ According to the statement, after gaining the victims trust scammers will convince them to open a new bank account in order to send and receive funds. The scammers will then use the account to transfer illegal funds and “facilitate criminal activities for a short period of time.” 

Whatever the case, catfish scams certainly deserve to be taken more seriously than they often areWhile it may be hard to believe people actually fall for them, the data shows they’re becoming more and more successful. One of the likely reasons for this is, like with phishing and Nigerian prince scams, they don’t exploit technical but rather human vulnerabilities. By learning what buttons to push, scammers are getting better and better at getting their victim to act against common sense.  It’s therefore important that everyone understands these emerging trends to help protect against the financial threat these scams pose.