The Weekly Breach Breakdown Podcast by ITRC - The Right Tool - S2E21

Show Transcript

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23rd, 2021. I’m James Lee and our podcast today is possible thanks to support from Experian and Sentilink.

Each week we look at the most recent events and trends related to data security and privacy. On our last episode, we talked about the dramatic rise in data compromises so far this year. Today we’re going to talk about the one-year anniversary of the state law that gives consumers a way to push back against data breaches – the California Consumer Privacy Act or CCPA.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool, for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA. 

While it was technically passed by the California legislature and signed into law back in 2018, compliance enforcement began in July 2020. And now we know what regulators have been doing to enforce the law.

California Attorney General Rob Bonta has published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. 

The other 25 percent are still within the 30-day grace period or are still under investigation. 

The most interesting part of the AG’s report are the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Some businesses prompted hundreds of complaints, while others generated millions. 

Potential violations that have been cured include: 

• A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy. 
• A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers. 
• A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on. 
• An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices. 

Attorney General Bonta has also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA and the direct consumer complaints can trigger the process that can lead to enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions – including damages paid directly to consumers for certain data breaches – may be offered in the future.

If you have questions about how to keep your personal information private and secure, visit idtheftcenter.org where you’ll find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours. 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast – The Fraudian Slip – and we’ll be back next week with another episode of the Weekly Breach Breakdown. Thanks for listening.