CCPA Phase Two Test Suite
My CCPA Phase Two Test Suite consists of 300 test cases based on the CPRA-Amended CCPA Regulations Approved for Finalization by the CPPA on February 4, 2023.
This test suite is designed to help each group of stakeholders meet strategic CCPA objectives.
Consumers | Businesses | Service Providers | Enforcement Agencies | Non-Businesses | Contractors |
Data Brokers | Compliance Auditors | Third Parties | Legal Professionals | Trust Providers | Authorized Agents |
I conducted Phase One of
my CCPA Test Suite in 2020 on 200 of my personal vendors.
These Phase One tests
laid the foundation for Phase Two by constructing the appropriate 'test
scaffolding' capable of withstanding legal and technical challenges.
The test suite can be accessed from:
-
PrivacyPortfolio's
public data catalog on data.world by direct download through this link:
CPRA-Amended-CCPA-P2-TestSuite-v2.xlsx
or by logging in to a "free" data.world account and browsing to
https://data.world/privacyportfolio/privacytests ,
or by emailing me with a request to join this project/dataset as a contributing member. - PrivacyPortfolio's public website
- PrivacyPortfolio's public Github repository
This suite is intended for discovery and educational purposes -- it is not prescriptive about legal tests or remediation advice.
One important design
feature of this test suite is enabling all stakeholders with the
knowledge and tools required to reproduce tests within a relevant
context for their role.
A second important
design feature is making this test suite actionable for other
stakeholders, with standardized reporting of test results
as input into incident
reports, complaints, contracts, audit assessments, etc.
I am making this test suite available to anyone who is genuinely interested in discovering how well the CCPA works for all stakeholders, by publishing it in an accessible location for transparency with every entity I test.
II. Vendor Risk Platform
I use a Vendor Risk Platform for conducting these CCPA Compliance Tests.
This provides a legal
standing to conduct these tests, according to the CCPA and my own
personal Vendor Risk Management Program.
The platform also
provides a mechanism for verifying my digital identity,
and for evaluating the
data quality of personal information for discovering unauthorized data
sharing and use.
My Vendor Risk Platform consists of:
- A data catalog containing published test results, reference metadata, and includes dataset profiles for all my personal vendors;
- A code repository containing code or links to code artifacts used for conducting tests;
- A master data management tool for mastering my own PI inventory, comparing shared profiles, discovering the identity of a web resource, and governing quality of tagged data elements used to seed collections for identification purposes.
- A secure data repository containing datasets from my master data management tool used for populating collections, storing test evidence, and storing PI datasets received from vendors;
- A domain I control, hosted in a cloud tenant I own, that provides web and email capabilities.
A large portion of tests conducted in Phase One dealt with issues like constructing a 'verifiable request', identifying non-exempt businesses, defining and classifying roles such as consumer, vendor, customer, etc.
Tests in Phase Two
involve Requests to KNOW and Requests to CORRECT, which require a much
higher standard
for security and
accountability:
all operations in my
Vendor Risk Platform should be ZeroTrust,
and any authorized
agents must maintain audit entries of all events
that govern the use of
my personal information.
III. Identity Verification
Although 'Verifying the
Consumer's Identity' is a prerequisite for exercising many CCPA rights,
no common standards exist for using digital identities.
Every business and government agency is permitted to use their own preferred standards and practices.
'Know Thy Vendor' is the most important principle of my Vendor Risk Management Program. It's my responsibility to 'DISCOVER' the Business using advanced entity resolution techniques and resources.
IV. Data Protection
Prop. 24, as approved by voters, Gen. Elec. (Nov. 3, 2020), §§ 2(H), 3(A)(2),
3(B)(2)-(3).
A consumer’s control
over their personal information requires that the purpose for
collecting or processing
that information is consistent with the consumer’s reasonable
expectations. When a
business’s purpose for collecting or processing personal information is
inconsistent with the
consumer’s reasonable expectations, consumers lose control over their
personal information and
are not in an informed position where they can exercise their rights or
knowingly and freely
negotiate with a business over the business’s use of their personal
information.
On February 4, 2023, the CPPA requested public comments on 3 items for further consideration in finalizing the Regulations:
- cybersecurity audits
- risk assessments
- automated decisionmaking
These three items were in the ballot measure, Prop. 24, approved by voters. In the public comments I submitted to the CPPA on March 27, 2023, I reference CCPA compliance test cases that can be evaluated using NIST SP 800-53r5 control standards:
- Consistency with Consumers' reasonable expectations
- Consumers' control over their personal information
- Consumers' ability to knowingly and freely negotiate with a business over the business’s use of their personal information
When a business fails to adequately protect a consumer's personal data,
a case could be made that the Consumer's reasonable expectations are not met.
However, Consumers don't define what their reasonable expectations are:
businesses and enforcement agencies do.
Consumers also don't set data protection standards,
and when user credentials or sensitive personal information are compromised,
they can end up on the
dark web only to be collected and resold to data brokers and malicious
actors.
When a business fails to notify consumers of a data breach,
consumers lose control over their personal information.
If the consumer wants to control their personal information so that
breached data isn't shared with other vendors,
they will need help from an enforcement agency with the authority and resources
to enforce data breach notification laws and take corrective actions.
When an enforcement agency has the authority and resources to enforce data breach notification laws, and fails to do so, responsibility for data protection falls on the Consumer. Section 1798.150(a)(1), "CCPA's private right of action" states:
Any [California resident] consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.
Consumers are disenfranchised to knowingly and freely negotiate with a business
over the business’s use of their personal information,
when an enforcement
agency or other provision in law comes between a Consumer and a
Business,
effectively usurping any
right or influence a Consumer might be able to wield over the Business'
practices.
V. Reporting
Most cybersecurity audits and assessments
are based on an auditing standard,
and produce reports that inform corrective actions.
My design intent when
reporting CCPA test results is to automatically generate data inputs
to support security and
compliance processes controlled by other entities,
such as the California
Department of Technology and the California Office of Information
Security
which uses NIST as the
cybersecurity framework standard.
I'm experimenting with a
subset of 100 NIST controls that I've mapped to CCPA test cases,
and implemented within
my Zero-Trust, Vendor Risk Management Platform.
For educational
purposes, I welcome you to assess the security of my platform,
evaluate the degree to
which my practices comply with the CCPA,
and set your own
reasonable expectations for how your personal information should be
controlled.
For a deeper dive into the
CCPA test data,
please send me an email requesting:
full access to my open datasets and projects on data.world;
to schedule a demo or presentation;
and to collaborate or consult with me.
Sincerely,
Craig Erickson, a California Consumer
Published 04/04/2023