Introduction — by Lindsey Ullian, Threat Stack Compliance Manager Colorado has rightfully gained a reputation as one of the most socially progressive states as it was one of the first to adapt a regulated adult use marijuana marketplace. Now, Colorado is making news headlines again as it has adopted one of the nation’s strictest consumer privacy laws. The Colorado Consumer Protection Act (CCPA) is the result of a continued effort to protect residents’ personal data. Colorado’s law follows in theme with at least thirty-one other states that have heightened security surrounding consumers’ personal data and stands out as one of only twelve states that have imposed broader data security requirements. Any company or public agency storing a Colorado resident’s personal data will now need a data-protection policy, an efficient breach notification system, and the capability to destroy the data when it is no longer needed. Whether you are a small company of one person or a Fortune 500 company, as long as you have customers in Colorado, you must comply with this new law. And whether or not your business is located in Colorado is irrelevant — what is key is whether you have customers located within the state. For more details, take a look at the following article written by Kevin Kish, Privacy Technical Lead at Schellman. In this article, Kevin highlights key takeaways from this law, as well as areas in which this law differentiates itself as one of the nation’s strictest data protection laws.

On March 6, Mark Zuckerberg made a commitment to spending the next several years reorienting Facebook’s apps toward encryption and privacy. Can we take him at his word? Find out what digital marketing and data privacy experts think.

Introduction — by Lindsey Ullian, Threat Stack Compliance Manager

For those not tracking the evolution of California’s Consumer Privacy Act (CaCPA), we’ve got some updates for you!  While most are just familiarizing themselves with CaCPA’s original requirements, a new senate bill (SB-561) was just introduced last week by two California Senators with intention to further strengthen the rights of Californians.  And while changes to the bill are already hardly considered uncommon, the amendments could raise the stakes for organizations who are already concerned with the Acts expectations. 

Now also known as the growing Internet of Things (IoT), connected devices are becoming more and more integrated into our everyday lives, continuously collecting our personal and non-personal data to make life more convenient.  As such, manufacturers are constantly searching for new ways to connect devices, expanding the IoT to include home security systems, healthcare devices, smart locks, and children’s toys to meet both expectation and demand. Though all of this indicates positive technological innovation and progress, one substantial problem remains – data security and privacy.

Organizations across the globe are making their way back to the ‘war room’ to analyze their applicability against one of the most comprehensive data privacy laws sweeping the US, the California Consumer Privacy Act of 2018 (“CaCPA”).  The CaCPA, approved on June 28th, 2018, was designed to give consumers (i.e. Californians) control over the use, including the sale, of their personal information.  Conceptually, having similar characteristics to the European Union’s data protection regulation, including its ability to be enforced on a global platform.

Article originally published by TheStreet

“Up to 4 % of an undertaking’s global worldwide annual turnover for the preceding fiscal year” This is arguably the single most powerful (and certainly the most frightening) statement from the GDPR. The heavy consequences of noncompliance with the recently enacted regulation was most likely the catalyst that propelled many organizations’ readiness review for GDPR. At a high level, one may assume that you can compute your risk exposure simply by multiplying (.04 x Gross Annual Revenue). But it is not always that easy! This formula applies to organizations that are part of a single “undertaking” as defined by the regulation. For organizations that are not considered a single undertaking, the total exposure may be more difficult to calculate since the annual revenue totals may be part of a larger group of enterprises. This aspect of GDPR raises a number of critical questions, including the following: What is an “undertaking”? How do I know whether I am a single undertaking? If I am not a single undertaking, how do I compute my potential risk of noncompliance? Is a fine inevitable, or could I receive a lesser penalty? Read the full article on www.threatstack.com