Data Privacy law coming to California in 2020

Data privacy, specifically as it pertains to our lives online, has been a staple topic of discussion particularly since the General Data Protection Regulation (GDPR) went into effect in the European Union in 2018. The United States is now poised to see a similar, albeit different regulation for the state of California. 

What is the California Consumer Privacy Act? 

The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and enforcement for it will begin on January 1st, 2020.

The CCPA applies to all residents of California, providing them with the following:

• The right to know what personal data is being collected;
• The right to access their personal data;
• The right to know whether this data is sold or disclosed, and to whom;
• The right to opt out of the sale of personal data;
• The right to equal service and prices, even if they exercise privacy rights.

Essentially, this bill grants the average person more control over the information that companies may collect on them, and it protects them from being denied service if they choose to exercise privacy rights. 

Important to note is the way the CCPA defines “personal information”, which is as follows:

“Information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”

Another significant detail to be aware of is that the CCPA does not consider Publicly Available Information to be personal information that is protected under the bill.

Who does the CCPA apply to?

• Any business or for-profit entity that collects consumers’ personal data, which does business in California, and meets at least one of the three following thresholds:
  • Has annual gross revenues in excess of 25 million USD;
  • Possesses the personal information of more than 50,000 consumers, households, and devices; or
  • Earns more than half its annual revenue from selling consumer information

The words “digital privacy law” and “California” in the same sentence most likely conjure images of Silicon Valley companies. However, this regulation will most likely not be world changing for giants like Facebook and Google. This is due in part to GDPR-compliance, which makes it easier to comply with regulations like the CCPA. 

Some Similarities & Differences between the CCPA and GDPR

• Similarities
  • Both regulations only protect natural persons (individuals) and not legal persons
  • Both require companies to demonstrate after a data breach that they took reasonable steps to protect that data from a breach
  • Both apply to organizations that might not have presence in their respective jurisdictions, but offer goods or services in the region 
• Differences
  • CCPA
    • Requires companies to provide an opt-out to data sharing
    • Penalties are done on a per-violation fine basis
    • Does not cover certain categories of personal data (e.g. health information) because they are already covered under different US regulations, such as HIPAA.
    • Does not require organizations to hire data protection officers or conduct impact assessments
    • Protects a “consumer” who is “a natural person who is a California resident”
    • Obligations apply specifically to “businesses” that are for-profit, collect consumer personal information and meet certain qualifying thresholds as mentioned above
    • Also applies to any entity that controls or is controlled by the business in question. No obligations are directed specifically at “service providers”
  • GDPR
    • Requires companies to provide an opt-in to data sharing
    • Penalties focus on up to 4% of annual global revenue
    • Protects a “data subject” who is “an identified or identifiable natural person” – meaning that an individual does not specifically need EU residency or citizenship if the controller processing their data is located in the EU. If the controller is located outside the EU, the citizenship/residence condition applies
    • Obligations apply to “controllers”, which could be natural or legal persons in addition to business entities, whether the activity is for-profit or not
    • Obligations also apply to processors, which are entities that process personal data on behalf of controllers.

If you have any questions or comments about whether CCPA will impact you or your business, you can always reach out to our team at Centry for help by emailing info@centry.global! 

Google fined €50 million for data privacy violations; what can we learn from it?

On January 21, 2019, Google was fined for €50 million for violating the European Union’s General Data Protection Regulation (GDPR) by the French Supervisory Authority for data protection (CNIL).

GDPR, which went into effect May 25, 2018, was designed to provide EU citizens with greater control of their personal data and rights to what data they choose to share and how that information is retained by organizations. It required organizations that collect data of EU citizens to obtain “clear and affirmative consent” for data collection, have privacy policies in clear and understandable language, inform individuals when their data was compromised, allow them to transfer their data to other organizations, and the “right to be forgotten”, which is the ability to request that their data be deleted.

The fifty-million Euro fine facing Google was the moment the data privacy industry had been waiting for, as GDPR long promised steep costs for those found to be in violation of its data privacy rules.

CNIL reported that Google failed to fully disclose to users how their personal information is collected and what happens to it, in addition to not properly obtaining user consent for displaying personalized ads.

Although Google had made changes to comply with GDPR, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations.” They added that the violations were continuous breaches of the regulation, and “not a one-off, time-limited infringement.”

CNIL began investigating Google on the day of the GDPR deadline in response to concerns raised by to privacy activist groups, None of Your Business and La Quadrature du Net. These groups filed complaints with CNIL, claiming that Google did not have a valid legal basis under GDPR to process personal data for the use of personalized and targeted ads.

These groups have also filed privacy complaints against Facebook and its subsidiaries, including Instagram and WhatsApp.

In the course of their investigation, CNIL found that when users created Google accounts with Android smartphones, the company’s practices violated GDPR in two ways – transparency and legal basis for the ads personalization. CNIL additionally found that the notices Google provided to users about what type of information it sought were not easily accessible.

A key fundament of GDPR is that users are able to easily locate and fully understand the extent of data processing operations carried out by organizations. In this Google was found wanting, where their terms were described as “too generic and vague in manner.” Overall, CNIL concluded that “the information communicated is not clear enough” that the average user could understand that the legal basis of processing operations for the ads personalization is consent. In other words, if you do not provide consent to have your information processed for personalized ads, the company legally cannot do it. Per GDPR, consent for data processing must be “unambiguous” with “clear affirmative action from the user.”  

Google responded to the fine with a statement affirming its commitment to meeting transparency expectations and consent requirements of GDPR, and that it is “studying the decision to determine our next steps.”

Despite the fact that companies were given a two-year time frame to comply with the regulation, many were not compliant by the deadline when it went out on May 25, 2018. Other companies only made limited efforts to become compliant, choosing to wait until the first major fine was released to see how serious the enforcement would be. If some of these companies were hoping to get a pass from another national data protection authority, that decision will most certainly be critically assessed in comparison with CNIL’s approach.

Consent requirements seem to be the greatest obstacle for companies struggling with GDPR’s requirements, especially where it concerns transparency and accessibility. Under GDPR, companies cannot hand out a single consent form with a bundle of data uses. That has long been industry standard practice, and part of the reason that Google was found to in violation of GDPR.  

To avoid facing similar fines in the future, companies can review how they obtain consent to collect personal information of users. Each data set requires its own consent– you have to be able to agree or disagree to each way your information will be used.

This level of transparency is essential and it requires changing from previously accepted business practices.

If you have any questions or comments pertaining to GDPR or this article, feel free to contact us at info@centry.global. Be sure to follow us on Twitter @CentryGlobal an subscribe for more content like this!

This article was written by Kristina Weber, Content Manager of Centry Global.

Centry Quick Check Program for Corporate Due Diligence

New technology has revolutionized corporate investigations and changed the way we go about them. There’s greater efficiency, new insights, and broader reach. However, the downside is that this technology can lull both investigators and clients into a false sense of security.

Computers can provide us with information, but people are still better at evaluating data within context, such as identifying how useful the information is and what it is relevant to. In short, technology can’t yet replicate human analysis – and yet we continue to see a growing dependence upon it for exactly that.

The Value of Professional Investigators in Corporate Due Diligence

In countries where there are robust public records, this dependence on automated scanning and investigative tech is particularly evident. Although investors and corporations still recognize the value of actual investigators in challenging regions across the globe where the public records may not be so accessible or accurate, when it comes to investing in due diligence insidethe US and Canada for example, companies are increasingly drawn by the promise of these low-level automated scans.

However, it’s important to consider that these types of surface level scans will not and cannot encompass a breadth of understanding of an investigated subject. Software driven data harvests conducted without the analytical power of the human mind could expose businesses to risks they may be unaware of, including things like reputational risk, fraud, money laundering, and more.

Most of these automated scans lack coverage on the target in media, whether that’s on social platforms or journalistic content. This surface level research cannot hope to provide a clear and accurate picture of a subject, and it certainly would not appease judicial officials if something were to go wrong.

For example, single-location local records checks cannot account for whether a person has moved cities. It would also not pick up any information about whether or not the subject faced allegations of criminal activity, which is something that can be identified through doing a media assessment. Furthermore, media research can also illustrate any extreme political views or subjects that an investor or company might not want to be associated with.

The professional experience of a professional who has done hundreds, if not thousands of due diligence investigations is something that is highly valuable. They are more likely to be able to provide context around findings that may initially seem adverse, such as whether or not a particular practice is typical for a particular industry or they might pick up contextual clues that could uncover a previously overlooked detail.

Companies seeking to save a dime by purchasing an automated scan with no human inference could be unknowingly setting themselves up for a huge risk in the future.

Our Answer: Investigator Driven Quick Checks for Individuals and Companies

Propelled by increased regulatory concerns among corporate entities and a more competitive environment amid the offers of automated checks, Centry Global has formulated an answer to the question of how to marry meaningful analysis to efficiency in due diligence investigations with our Quick Check (QC) program.

What to Expect from a Centry QC

The QC program combines an identity review, sanctions screening, compliance check, and media research into a single, well-organized background check package on either individuals or companies with a turnaround time of 5-7 business days.

Quick Check of a Company

• Identity Review
  • Key financial figures
  • Risk Level
  • Beneficial Owners and Senior Management
• Compliance Review
  • Sanctions and Watchlists Screening
• Social/Adverse Media Review
• Analysis and/or Recommendations

Quick Check of an Individual

• Identity Review
  • Shareholdings and Directorships
• Compliance Review
  • Sanctions and Watchlists Screening
  • Politically Exposed Persons Screening
  • Litigations Check
• Social/Adverse Media Review
• Analysis and/or Recommendations

For more information on these Quick Checks, please feel free to contact us at info@centry.global or on our LinkedIn, Facebook and Twitter pages!

Cryptocurrency OneCoin revealed to be $3bn pyramid scheme

An international pyramid scheme involving the marketing of the cryptocurrency OneCoin has now been revealed. Konstantin Ignatov, his sister Ruja Ignatova and Mark Scott have been charged by the Southern District of New York (SDNY) for wire fraud conspiracy, securities fraud, and money laundering.

OneCoin is a Bulgarian-based company that was founded in 2014 and is still active today. The company’s main operations depended upon selling educational cryptocurrency trading packages to its members, who in turn receive commissions for recruiting others to purchase these packages. SDNY has identified this as a multi-level marketing structure and attributes that to the rapid growth of the OneCoin member network. The company claims to have more than 3 million members worldwide.

In a government press release, Manhattan attorney Geoffrey Berman said that the OneCoin leaders essentially created a multi-billion dollar company “based completely on lies and deceit.”

Leaders of OneCoin were furthermore alleged to have lied to investors to inflate the value of a OneCoin from approximately $0.50 to over $30.00. This was just one facet of a breadth of misinformation perpetrated by the leaders of the company, including claims about how how OneCoin cryptocurrency is mined by company servers, when in reality OneCoins are not mined with computer resources and the use of a private blockchain, which was found to be false in the investigation.

So how damaging was this scheme? The SDNY claims that between 2014-2016 alone, OneCoin was able to generate more than $3.7 billion in sales revenue and earned profits of approximately $2.6 billion. The investigation revealed that Ignatova and her co-founder created the business with the full intent of using it to defraud investors. In one email that was found between OneCoin’s co-founders, Ignatova described her exit strategy for OneCoin, which was simple to take the money and run and to blame someone else.

Konstantin Ignatov was arrested on March 6, 2019 at LAX, while his sister remains still at large. It is estimated that Ruja Ignatova could see up to 85 years in prison if she is found guilty on all accounts, as she faces five separate charges. Mark Scott was arrested in Massachusetts on Sept. 5, 2018 and faces 20 years in prison.

Many authorities across the globe have been notified of OneCoin’s fraudulent behaviours and have attempted to stop the company’s operations.

This article was written by Kristina Weber of Centry Global. For more content like this, be sure to subscribe to Centry Blog for bi-weekly articles related to the security and risk industries. Follow us on Twitter @CentryGlobal!