What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Nov 26, 2019

Navigating the California Consumer Privacy Act

5 minutes read
Speak With A Security Expert Now

Originally posted in Corporate Compliance Insights November 12, 2019

With the California Consumer Privacy Act (CCPA) going into effect shortly, eSentire’s Mark Sangster deliberates on evolving data privacy laws and how companies can ensure stronger data privacy for customers.

The 2018 Cambridge Analytica scandal was a watershed moment for citizen privacy and the protection of our information rights. Consumers gained a greater understanding of the fact that when a product or service is “free,” it means their own information is the actual product. This is perhaps the greatest industrial revolution: the consumer is the product. Not only did it create an uproar, but it also resulted in significant financial penalties. The Federal Trade Commission (FTC) fined Facebook a record $5 billion for giving Cambridge Analytica improper access to its users.

The settlement is important, because it demonstrates that the FTC is taking consumers’ data privacy seriously. The scandal has also caused many consumers to reconsider what information they post – and whether they post at all – on social media and how many companies hold their personal information. In the case of Facebook – and, by extension, all other organizations with an online presence – when no privacy guarantees were ever proffered fully by the company, it represented a violation of implied trust.

In the European Union, the General Data Protection Regulation (GDPR) was established before the Facebook scandal became known. It was implemented in response to many other violations of trust and data collection – both intentional and accidental – as more and more companies collect citizens’ digitized personal information. The GDPR lays out stringent guidelines for what types of data organizations can collect and what they are allowed to do with it, complete with hefty fines for noncompliance. U.S. companies conducting business in the EU or holding data on EU citizens are subject to GDPR, but attempts to pass anything like GDPR in the U.S. have so far failed to gain significant traction.

The Origins of the California Consumer Privacy Act

The California Consumer Protection Act (CCPA) is perhaps the “Plymouth Rock” of privacy. The U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. There’s no explicit equivalent of, say, Canada’s PIPEDA or Japan’s AAPI online privacy legislation. However, when data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

Clearly, there was an appetite, at least in tech-heavy California, for GDPR-style protections. The CCPA’s quick passage was also widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation grants consumers new rights with respect to the collection of their personal information and goes into effect on January 1, 2020.

How Will the CCPA Affect Companies?

First and foremost, the CCPA is about privacy. It requires full disclosure from companies regarding the collection of personal information – everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

It also includes the right for citizens to opt-out of having their information/data sold. Users and customers will have to be notified from the get-go about their information; they will have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights, but also expose the economic value of consumer data.

Similarly to GDPR’s right to be forgotten, CCPA includes the “right to be deleted.”

Companies won’t be allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates. A company like Google, for instance, wouldn’t be able to respond to a user opting out of having their information sold by then charging them (more) or restricting access to certain services.

How Companies Can Understand the Risks and Prepare

One of the major aspects of CCPA is that companies will have to declare the value of the data they are collecting – so if a company planned to sell that data, they would need to declare its resale value.

Organizations will need to find a way to ensure that every department understands what the requirements are under CCPA. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. For many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

For instance, the marketing department may store sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA will require documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

Companies will need to be able to fully map where the information goes, including across their supply chain, with a justified purpose. They will have to work to ensure they’re conducting due diligence and analyzing the benefits versus the risks to justify their actions to regulators if they come calling. This will help prevent “shiny object syndrome,” or a hoarder’s mentality in which companies collect all the data they can in the hopes that it will someday be useful.

In addition, companies must be able to secure this data. This will change how vendors are chosen. Organizations will need to analyze the risks associated with that vendor by conducting due diligence, then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Stronger Security Ahead

The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. This year, more than 20 states have considered data privacy legislation, though only Maine, Illinois and Nevada actually passed laws. California will be an acid test to watch as of January 1 of next year, when the legislation takes effect. It’s particularly interesting to watch, given how many of the biggest names in tech are also based in the Golden State.

But privacy legislation of this kind shouldn’t and doesn’t need to be seen as crippling to business. It can actually be a business advantage by forcing companies to really evaluate their supply chain and partners to understand how and why data is being stored and collected. This can ultimately protect not just consumers’ privacy, but companies from damaging breaches or other security incidents in the long term as they get a better handle on their data.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.