CCPA Phase Two Test Suite

I.     Summary
II.    Vendor Risk Platform
III.   Identity Verification
IV.   Data Protection
V.    Reporting
 
I. Summary

My CCPA Phase Two Test Suite consists of 300 test cases based on the CPRA-Amended CCPA Regulations Approved for Finalization by the CPPA on February 4, 2023.

This test suite is designed to help each group of stakeholders meet strategic CCPA objectives.

Consumers Businesses Service Providers Enforcement Agencies Non-Businesses Contractors
Data Brokers Compliance Auditors Third Parties Legal Professionals Trust Providers Authorized Agents

I conducted Phase One of my CCPA Test Suite in 2020 on 200 of my personal vendors.
These Phase One tests laid the foundation for Phase Two by constructing the appropriate 'test scaffolding' capable of withstanding legal and technical challenges.
The test suite can be accessed from:

This suite is intended for discovery and educational purposes -- it is not prescriptive about legal tests or remediation advice.

One important design feature of this test suite is enabling all stakeholders with the knowledge and tools required to reproduce tests within a relevant context for their role.
A second important design feature is making this test suite actionable for other stakeholders, with standardized reporting of test results as input into incident reports, complaints, contracts, audit assessments, etc.

I am making this test suite available to anyone who is genuinely interested in discovering how well the CCPA works for all stakeholders, by publishing it in an accessible location for transparency with every entity I test.

 

 

II. Vendor Risk Platform

I use a Vendor Risk Platform for conducting these CCPA Compliance Tests.
This provides a legal standing to conduct these tests, according to the CCPA and my own personal Vendor Risk Management Program. The platform also provides a mechanism for verifying my digital identity, and for evaluating the data quality of personal information for discovering unauthorized data sharing and use.

My Vendor Risk Platform consists of:

  • A data catalog containing published test results, reference metadata, and includes dataset profiles for all my personal vendors;
  • A code repository containing code or links to code artifacts used for conducting tests;
  • A master data management tool for mastering my own PI inventory, comparing shared profiles, discovering the identity of a web resource, and governing quality of tagged data elements used to seed collections for identification purposes.
  • A secure data repository containing datasets from my master data management tool used for populating collections, storing test evidence, and storing PI datasets received from vendors;
  • A domain I control, hosted in a cloud tenant I own, that provides web and email capabilities.

A large portion of tests conducted in Phase One dealt with issues like constructing a 'verifiable request', identifying non-exempt businesses, defining and classifying roles such as consumer, vendor, customer, etc.

Tests in Phase Two involve Requests to KNOW and Requests to CORRECT, which require a much higher standard for security and accountability:
all operations in my Vendor Risk Platform should be ZeroTrust, and any authorized agents must maintain audit entries of all events that govern the use of my personal information.

 

 

III. Identity Verification

Although 'Verifying the Consumer's Identity' is a prerequisite for exercising many CCPA rights,
no common standards exist for using digital identities.
Every business and government agency is permitted to use their own preferred standards and practices.

'Know Thy Vendor' is the most important principle of my Vendor Risk Management Program. It's my responsibility to 'DISCOVER' the Business using advanced entity resolution techniques and resources.

 

 

IV. Data Protection

Prop. 24, as approved by voters, Gen. Elec. (Nov. 3, 2020), §§ 2(H), 3(A)(2), 3(B)(2)-(3).
A consumer’s control over their personal information requires that the purpose for collecting or processing that information is consistent with the consumer’s reasonable expectations. When a business’s purpose for collecting or processing personal information is inconsistent with the consumer’s reasonable expectations, consumers lose control over their personal information and are not in an informed position where they can exercise their rights or knowingly and freely negotiate with a business over the business’s use of their personal information.

On February 4, 2023, the CPPA requested public comments on 3 items for further consideration in finalizing the Regulations:

  1. cybersecurity audits
  2. risk assessments
  3. automated decisionmaking

These three items were in the ballot measure, Prop. 24, approved by voters. In the public comments I submitted to the CPPA on March 27, 2023, I reference CCPA compliance test cases that can be evaluated using NIST SP 800-53r5 control standards:

  • Consistency with Consumers' reasonable expectations
  • Consumers' control over their personal information
  • Consumers' ability to knowingly and freely negotiate with a business over the business’s use of their personal information

When a business fails to adequately protect a consumer's personal data,
a case could be made that the Consumer's reasonable expectations are not met.

However, Consumers don't define what their reasonable expectations are:
businesses and enforcement agencies do.

Consumers also don't set data protection standards,
and when user credentials or sensitive personal information are compromised,
they can end up on the dark web only to be collected and resold to data brokers and malicious actors.

When a business fails to notify consumers of a data breach,
consumers lose control over their personal information.

If the consumer wants to control their personal information so that
breached data isn't shared with other vendors,
they will need help from an enforcement agency with the authority and resources
to enforce data breach notification laws and take corrective actions.

When an enforcement agency has the authority and resources to enforce data breach notification laws, and fails to do so, responsibility for data protection falls on the Consumer. Section 1798.150(a)(1), "CCPA's private right of action" states:

Any [California resident] consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.

Consumers are disenfranchised to knowingly and freely negotiate with a business over the business’s use of their personal information,
when an enforcement agency or other provision in law comes between a Consumer and a Business, effectively usurping any right or influence a Consumer might be able to wield over the Business' practices.

 

 

V. Reporting

 

Most cybersecurity audits and assessments
are based on an auditing standard,
and produce reports that inform corrective actions.

My design intent when reporting CCPA test results is to automatically generate data inputs to support security and compliance processes controlled by other entities,
such as the California Department of Technology and the California Office of Information Security which uses NIST as the cybersecurity framework standard.

I'm experimenting with a subset of 100 NIST controls that I've mapped to CCPA test cases, and implemented within my Zero-Trust, Vendor Risk Management Platform.
For educational purposes, I welcome you to assess the security of my platform, evaluate the degree to which my practices comply with the CCPA, and set your own reasonable expectations for how your personal information should be controlled.

For a deeper dive into the CCPA test data, please send me an email requesting:
full access to my open datasets and projects on data.world;
to schedule a demo or presentation;
and to collaborate or consult with me.

Sincerely,
Craig Erickson, a California Consumer

Published 04/04/2023