New CCPA Regulation Makes it Easier for Consumer Privacy Opt-Out

• The California Attorney General announced a new California Consumer Privacy Act (CCPA) regulation that bans a business practice that makes it more difficult for consumer privacy opt-out.
• The new CCPA regulation means businesses will not be able to direct consumers to different web pages or to sit through explanations of why they should not opt-out. It also means the addition of a new button for companies to use to guide people where they can opt-out of having their data sold.
• The American Medical Collection Agency (AMCA) settled with 41 state Attorney Generals over the 2019 AMCA data breach. If AMCA does not live up to the settlement terms, it could lead to $21 million in fines to be paid to the states.
• For more information on the new CCPA regulation, consumer privacy opt-outs, and the AMCA data breach settlement, listen to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown podcast.
• To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  
• For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

But Wait, There’s More! 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.

Back in the early days of infomercials, there would come the point in a television ad selling the latest knife set or blender when the person making the pitch would stop, look earnestly into the camera, and shout, “but wait, there’s more!” That’s the title of this week’s episode, where we look at a new California Consumer Privacy Act (CCPA) regulation and provide an update on a major 2019 data breach.

New CCPA Regulation and its Effect on Consumer Privacy Opt-Outs 

Even though the CCPA has been in effect for more than a year, there’s an important part of the legislative process that tends to be left out of civics lessons. Most laws require regulations to be adopted to enforce them. 

The new CCPA regulation formally adopted this past week was proposed in response to a practice known as “Dark Patterns.” This practice makes exercising one’s right so confusing or frustrating that people give up trying.  

Consumers may be directed to another web page, forced to click on multiple pages, or scroll through a series of screens. People may even have to sit through a long explanation of why they shouldn’t opt-out of allowing a company to sell their data. 

That’s not what the California legislature had in mind when it passed the law in 2018. There were promises it would be easy for Golden State residents to exercise their new-found privacy rights. Chief among those rights was a requirement for businesses governed by the CCPA to put a “Do Not Sell My Information” button in a prominent place on the web pages.  

Along with banning practices that impede a consumer privacy opt-out of data sales, the new CCPA regulation also includes a new button that companies can use to help guide consumers to where on their website they can go to exercise their privacy rights.  

Known as the Privacy Options icon, the blue website button was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. It was tested against other icons to determine the best design for communicating consumers’ privacy choices. 

Look for those coming to a website near you. 

But wait, there’s more! 

American Medical Collection Agency Settles with States over 2019 Data Breach 

In 2019, medical debt collection company, American Medical Collection Agency (AMCA), revealed the company had been the target of an eight-month-long cyberattack. It resulted in a data breach of information regarding at least seven million people and possibly as many as 21 million people. Shortly after announcing the security and data breaches, AMCA filed for bankruptcy. 

Forty-one state attorney generals intervened in the bankruptcy proceeding recently and received the court’s permission to enter into a settlement with AMCA. No financial penalties apply because of the financial condition of the company. However, AMCA agreed to a series of cybersecurity upgrades and ongoing audits. If AMCA fails to live up to the terms of the agreement, it will trigger $21 million in fines to be paid to the states. 

As Steve Jobs would say, just one more thing. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.