[Solved] IA673 California Consumer Privacy Act (CCPA) Security Policy and Risk Management Analysis

The California Consumer Privacy Act or CCPA was enacted in 2018 and took effect on January 1^st, 2020. The legislation secured new privacy rights for California consumers including:

• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
• The right to delete personal information held by businesses and by extension, a businesss service provider;
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

The CCPA will apply to certain businesses or organizations, for those who fall under the CCPA there will be new additional business obligations that they will be bound by, such as a notification to consumers at the time of or prior to the collection of data. There will be additional costs involved for compliance related to the CCPA for those companies that fall under it, some of those companies might also fall under the European Unions General Data Protection Regulation (GDPR) which will be covered at greater length in your Final Group Project.

Scenario:

Your Group has been hired as consultants by a California based manufacturing company, DCG Inc., which manufactures thermostats and HVAC control equipment. DCG has annual revenue of $300 million from the sale of the equipment they manufacture as well as through the sale of mobile applications to help their customers manage the equipment. These applications can be through a desktop browser or through a native iOS or Android mobile app, which customers have to pay for and download from the App Store or Google Play. When a customer downloads the app they have to agree to DCGs terms and conditions of use, which includes the collection of data from the app such as location data of the device, IP addressing, etc. DCG then uses this data for diagnostic purposes and to upgrade and improve the apps, however it also sells this data to third parties, and if someone uses a social sign-on option such as using their Facebook credentials to sign into the app for convenience purposes it also shares all the data with Facebook.

DCG management is concerned how the newly implemented California Consumer Privacy Act or CCPA will impact its business model moving forward. Management understands that though the CCPA has now taken effect, not all of the regulations which govern its enforcement have been written and implemented by the Executive Branch yet. Thus, they understand that your findings at this point will be preliminary based on potential assumptions that your Group makes. They would like you to present both a less restrictive scenario where regulations are less stringent on businesses and a very restrictive scenario as a worst case for their current business model.

DCG has taken steps to become compliant with the EUs General Data Protection Regulation as they are actively looking to acquire a competitor from Germany, however the potential acquisition is still likely a year away and not everything has been completed. Thus, DCG would also like to know whether meeting GDPR compliance would also make them CCPA compliant as well. So you will need to do some investigating of the GDPR as well to see if there are any overlaps or areas where the two regulations diverge.

Deliverables:

Your Group will need to research both the CCPA and the GDPR and look at ways in which they could impact DCG, Inc.s current business model. You will then need to present your opinion on a best case or less restrictive regulatory environment and a worst case very strict regulatory environment moving forward. Take into account any IT Security or Privacy policy considerations DCG should be aware of as well as any IT Risk Management concerns that could arise as well given the new compliance requirements. Also, determine if DCG meets GDPR compliance if they will be OK as far as the CCPA is concerned. Recommend any changes in business practices your Group believes will aid DCG in becoming compliant with the CCPA.

Then present your findings in a 5 Page Minimum report, citing any sources that you use, including the CCPA or GDPR. Your report should have a Minimum of 5 Sources which are properly cited in the text and included in a Reference section. Use a common citation method such as APA or IEEE and be consistent throughout (SOURCES WILL BE CHECKED!). Turn 1 Copy of the Report from the Group into the D2L Group Mid-Term Project assignment folder by the deadline on the Group Mid-Term Project folder.

Related Links:

CCPA

http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=

GDPR

https://gdpr-info.eu/