What is CCPA (California Consumer Privacy Act), how to design for compliance and implementation into current designs. What are the pitfalls and nuances of designing for security and how does someone get into designing security for digital.
2. Agreements are the new login screen
Design for compliance from Day 1
Show usefulness & value
Show why the user should care about data privacy
Nurture long-term partnerships
Ensure biz and user have a two-way engagement
Takeaways
the outline
B A C K S T O R Y
3. My journey
PR NYC ATX
B A C K S T O R Y
1982 2010 2015
U n d e r g r a d d e g r e e s
F r e e l a n c e w o r k
M u s i c c a r e e r
G r a d s c h o o l
T e a c h i n g a s s i s t a n t
D e s i g n s t u d i o s
P r o d u c t d e s i g n
E n t e r p r i s e s c a l e
C l o u d + s e c u r i t y
4. B A C K S T O R Y
During the last 4 years at IBM, I’ve led ~5 projects, and it all began in
the Hybrid Cloud organization. Here are some of the Cloud projects.
5. Security design
a whole new world
Senior Design Lead • project scope, process, team direction & delivery
S I N C E F A L L ‘ 1 8
6. You don’t have to
be a designer in a
security team to
design with
security in mind.
S E C U R I T Y - D
7. I had no previous
experience in
security.
S E C U R I T Y - D
8. Now in Security, I’m involved in two projects: Identity Management and
Data Protection, the latter is where compliance comes in.
S E C U R I T Y - D
9. Not fancy
Key experiences are secondary to main user tasks
Meta
Comply to help others comply
Awareness gap
Data privacy relates to all designers
Learning curve
what’s unique
S E C U R I T Y - D
10. Security jargon
for designers
Data
privacy
How that personal
info is collected, used,
shared by companies
Personal
Information (PI)
Info that can be used
to identify, contact or
locate an individual
Compliance
Following the
obligations/rules
specified by a
regulation body
(e.g. GDPR, CCPA, PCI)
S E C U R I T Y - D
12. I didn’t study the law. I work in IT.
I just need to know what to protect and,
more importantly, how. The legislation [GDPR]
doesn’t give a clear path on how a business
is supposed to be compliant.
— J.T., IT Admin
“
T H E C H A N G E
13. Panic
Are we in trouble?
Confusion
Will it a!ect my biz?
Overwhelmed
Where do I begin the process?
Pain points
what we heard
T H E C H A N G E
14. Consumers won’t buy
from companies they
don’t trust
75%
Proof of compliance
will be seen by the
public as a positive
di!erentiator
81 %
The stats
the biz perspective
Retailers are ready
for CCPA’s deadline
46%
https://chargebacks911.com/california-consumer-privacy-act/
https://info.trustarc.com/Web-Resource-2019-03-18-CCPA-GDPRComplianceReport_LP.html
https://elitesem.com/blog/ccpa-need-to-know/
T H E C H A N G E
15. Proof of compliance
will be seen by the
public as a positive
di!erentiator
81 %
The stats
the biz perspective
https://chargebacks911.com/california-consumer-privacy-act/
https://info.trustarc.com/Web-Resource-2019-03-18-CCPA-GDPRComplianceReport_LP.html
https://elitesem.com/blog/ccpa-need-to-know/
T H E C H A N G E
Consumers won’t buy
from companies they
don’t trust
75%
Retailers are ready
for CCPA’s deadline
46%
19. General Data Protection
Regulation (GDPR)
Signed on 2016
In e!ect May 25, 2018
The California Consumer
Privacy Act (CCPA)
Signed in 2018
In e!ect January 1, 2020
C X I M P A C T
Compliance
GDPR v CCPA
20. General Data Protection
Regulation (GDPR)
Signed on 2016
In e!ect May 25, 2018
https://gdpr-info.eu/
https://eugdpr.org/
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
GDPR
overview
Protects: Right to Access, to
delete, do not sell data
Parental consent for children
Applies to all organizations
(for- and non-profits)
Fines up to 4% of annual
global turnover or €20M
C X I M P A C T
21. CCPA
the not so little brother
Set up specific communication
channels for data requests
Expands personal data to
include household
No “right to be forgotten”
No option to opt-out outright
The California Consumer
Privacy Act (CCPA)
Signed in 2018
In e!ect January 1, 2020
https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
https://www.tripwire.com/state-of-security/security-data-protection/a-practical-guide-to-ccpa-for-u-s-businesses/
https://elitesem.com/blog/ccpa-need-to-know/
C X I M P A C T
22. The CCPA impact
how biz is a!ected
For-profit businesses
Any business that operates in California
Any company that does biz with consumers in California
Up to $7,500 per infraction
C X I M P A C T
29. UnsubscribeIf a subscriber wants o! your list, you have 10 days to do it. (Spam Act 2003)
C O M P L I A N C E U X
https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003
30. Whose info
What type of info
Where is it stored
Why do you need it
How can I get it
C O M P L I A N C E U X
41. Agreements are the new login screen
Design for compliance from Day 1
Show usefulness & value
Show why the user should care about data privacy
Nurture long-term partnerships
Ensure biz and user have a two-way engagement
Takeaways
one more time
R E C A P
42. 01
Agreements are the new login screen
(Max) Privacy must be the default
Acknowledge the user’s apprehension
Identify privacy moments across flows
R E C A P
43. 02
Show usefulness & value
Present content in a consumable way
Show why the user should care
Give them control of their data
R E C A P
44. 03
Nurture long-term partnerships
Be open when mistakes happen
Communicate any data or policy changes
Foster a two-way dialog between biz and user
R E C A P