What is CCPA (California Consumer Privacy Act), how to design for compliance and implementation into current designs. What are the pitfalls and nuances of designing for security and how does someone get into designing security for digital.

1. Designing for compliance:
why you should care
Esteban Pérez-Hemminger | Senior Design Lead | IBM Security Design

2. Agreements are the new login screen
Design for compliance from Day 1
Show usefulness & value
Show why the user should care about data privacy
Nurture long-term partnerships
Ensure biz and user have a two-way engagement
Takeaways
the outline
B A C K S T O R Y

3. My journey
PR NYC ATX
B A C K S T O R Y
1982 2010 2015
U n d e r g r a d d e g r e e s
F r e e l a n c e w o r k
M u s i c c a r e e r
G r a d s c h o o l
T e a c h i n g a s s i s t a n t
D e s i g n s t u d i o s
P r o d u c t d e s i g n
E n t e r p r i s e s c a l e
C l o u d + s e c u r i t y

4. B A C K S T O R Y
During the last 4 years at IBM, I’ve led ~5 projects, and it all began in
the Hybrid Cloud organization. Here are some of the Cloud projects.

5. Security design
a whole new world
Senior Design Lead • project scope, process, team direction & delivery
S I N C E F A L L ‘ 1 8

6. You don’t have to
be a designer in a
security team to
design with
security in mind.
S E C U R I T Y - D

7. I had no previous
experience in
security.
S E C U R I T Y - D

8. Now in Security, I’m involved in two projects: Identity Management and
Data Protection, the latter is where compliance comes in.
S E C U R I T Y - D

9. Not fancy
Key experiences are secondary to main user tasks
Meta
Comply to help others comply
Awareness gap
Data privacy relates to all designers
Learning curve
what’s unique
S E C U R I T Y - D

10. Security jargon
for designers
Data
privacy
How that personal
info is collected, used,
shared by companies
Personal
Information (PI)
Info that can be used
to identify, contact or
locate an individual
Compliance
Following the
obligations/rules
specified by a
regulation body
(e.g. GDPR, CCPA, PCI)
S E C U R I T Y - D

11. The change
why regulations changed us

12. I didn’t study the law. I work in IT.
I just need to know what to protect and,
more importantly, how. The legislation [GDPR]
doesn’t give a clear path on how a business
is supposed to be compliant.
— J.T., IT Admin
“
T H E C H A N G E

13. Panic
Are we in trouble?
Confusion
Will it a!ect my biz?
Overwhelmed
Where do I begin the process?
Pain points
what we heard
T H E C H A N G E

14. Consumers won’t buy
from companies they
don’t trust
75%
Proof of compliance
will be seen by the
public as a positive
di!erentiator
81 %
The stats
the biz perspective
Retailers are ready
for CCPA’s deadline
46%
https://chargebacks911.com/california-consumer-privacy-act/
https://info.trustarc.com/Web-Resource-2019-03-18-CCPA-GDPRComplianceReport_LP.html
https://elitesem.com/blog/ccpa-need-to-know/
T H E C H A N G E

15. Proof of compliance
will be seen by the
public as a positive
di!erentiator
81 %
The stats
the biz perspective
https://chargebacks911.com/california-consumer-privacy-act/
https://info.trustarc.com/Web-Resource-2019-03-18-CCPA-GDPRComplianceReport_LP.html
https://elitesem.com/blog/ccpa-need-to-know/
T H E C H A N G E
Consumers won’t buy
from companies they
don’t trust
75%
Retailers are ready
for CCPA’s deadline
46%

16. Here’s where
your design e!ort
should focus on
T H E C H A N G E

17. 00
https://www.varonis.com/blog/ccpa-vs-gdpr/#_
CCPA v GDPR
T H E C H A N G E

18. CX impact
how compliance a!ects our work

19. General Data Protection
Regulation (GDPR)
Signed on 2016
In e!ect May 25, 2018
The California Consumer
Privacy Act (CCPA)
Signed in 2018
In e!ect January 1, 2020
C X I M P A C T
Compliance
GDPR v CCPA

20. General Data Protection
Regulation (GDPR)
Signed on 2016
In e!ect May 25, 2018
https://gdpr-info.eu/
https://eugdpr.org/
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
GDPR
overview
Protects: Right to Access, to
delete, do not sell data
Parental consent for children
Applies to all organizations
(for- and non-profits)
Fines up to 4% of annual
global turnover or €20M
C X I M P A C T

21. CCPA
the not so little brother
Set up specific communication
channels for data requests
Expands personal data to
include household
No “right to be forgotten”
No option to opt-out outright
The California Consumer
Privacy Act (CCPA)
Signed in 2018
In e!ect January 1, 2020
https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
https://www.tripwire.com/state-of-security/security-data-protection/a-practical-guide-to-ccpa-for-u-s-businesses/
https://elitesem.com/blog/ccpa-need-to-know/
C X I M P A C T

22. The CCPA impact
how biz is a!ected
For-profit businesses
Any business that operates in California
Any company that does biz with consumers in California
Up to $7,500 per infraction
C X I M P A C T

23. Legal Tech Personal
C X I M P A C T

24. Legal Tech Personal
C X I M P A C T

25. User Experience
C X I M P A C T

26. In these gaps
designers can
become the
translators
C X I M P A C T

27. Acquire consent
Enable removal
Pass data control
Biz obligations
Transparency
Trust
Ownership
User rights
C X I M P A C T

28. Compliance UX
design moments

29. UnsubscribeIf a subscriber wants o! your list, you have 10 days to do it. (Spam Act 2003)
C O M P L I A N C E U X
https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003

30. Whose info
What type of info
Where is it stored
Why do you need it
How can I get it
C O M P L I A N C E U X

31. User lifecylce
milestones
Updates Customization O!boardingOnboarding
D A Y 1 D A Y 1 0 D A Y 3 0 D A Y 3 0 0
C O M P L I A N C E U X

32. C O M P L I A N C E U X
Day 1
Onboarding Updates Customization O!boarding
No guesswork: don’t
put the onus on users
to be and stay secure

33. Onboarding Updates Customization O!boarding
C O M P L I A N C E U X
Day 1
More is better: the
highest privacy must
be the default setting

34. Onboarding Updates Customization O!boarding
Day 10
C O M P L I A N C E U X
Don’t hide: don’t
make finding updates
an easter egg hunt

35. Onboarding Updates Customization O!boarding
Day 10
C O M P L I A N C E U X
Be proactive: show
impacts to privacy
and guide to update

36. Day 30
Onboarding Updates Customization O!boarding
C O M P L I A N C E U X
Don’t be an obstacle:
remove hurdles that
impede any editing

37. Day 30
Onboarding Updates Customization O!boarding
C O M P L I A N C E U X
Minds change: let
users change their
preferences anytime

38. Day 300
Onboarding Updates Customization O!boarding
C O M P L I A N C E U X
Don’t be a bad ex:
don’t hold people
hostage to the app

39. Day 300
Onboarding Updates Customization O!boarding
C O M P L I A N C E U X
Hand o! control:
make retrieval and
opt-out painless

40. Recap
practices and takeaways

41. Agreements are the new login screen
Design for compliance from Day 1
Show usefulness & value
Show why the user should care about data privacy
Nurture long-term partnerships
Ensure biz and user have a two-way engagement
Takeaways
one more time
R E C A P

42. 01
Agreements are the new login screen
(Max) Privacy must be the default
Acknowledge the user’s apprehension
Identify privacy moments across flows
R E C A P

43. 02
Show usefulness & value
Present content in a consumable way
Show why the user should care
Give them control of their data
R E C A P

44. 03
Nurture long-term partnerships
Be open when mistakes happen
Communicate any data or policy changes
Foster a two-way dialog between biz and user
R E C A P

45. Bonus!
build for flexibility
Allow users to change their mind
Give them control
Follow the unsubscribe model
R E C A P

46. Be open with users
and they’ll become
advocates of your
company, product
or brand.
R E C A P

47. Thanks
for
listening!

48. Sources
additional things I referenced
https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
https://www.tripwire.com/state-of-security/security-data-protection/a-practical-guide-to-ccpa-for-u-s-businesses/
https://elitesem.com/blog/ccpa-need-to-know/
https://termly.io/resources/articles/privacy-by-design-best-practices/
https://www.bbb.org/greater-san-francisco/for-businesses/understanding-privacy-policy/
https://eugdpr.org/
https://ec.europa.eu/
https://uxdesign.cc/what-does-gdpr-mean-for-ux-9b5ecbc51a43
https://www.perkinscoie.com/en/news-insights/ccpa-vs-gdpr-know-the-differences.html
https://elitesem.com/blog/ccpa-need-to-know/
https://iapp.org/resources/article/cacpa-what-to-disclose-and-where-to-disclose-it/
https://www.securitynow.com/author.asp?section_id=706&doc_id=744859