WEBVTT 1 00:00:00.180 --> 00:00:01.290 In this lesson, 2 00:00:01.290 --> 00:00:04.290 we will learn about privacy regulations. 3 00:00:04.290 --> 00:00:07.140 Privacy regulations are designed to protect 4 00:00:07.140 --> 00:00:10.770 individual's personal information and privacy rights 5 00:00:10.770 --> 00:00:13.290 by setting requirements for how organizations 6 00:00:13.290 --> 00:00:17.010 collect, store, use, and share data. 7 00:00:17.010 --> 00:00:21.390 For example, the Children's Online Privacy Act, or COPPA, 8 00:00:21.390 --> 00:00:25.290 focuses on protecting children's data in the US. 9 00:00:25.290 --> 00:00:28.710 The General Data Protection Law, or LGPD, 10 00:00:28.710 --> 00:00:31.440 sets data protection standards in Brazil. 11 00:00:31.440 --> 00:00:35.190 The California Consumer Privacy Act, or CCPA, 12 00:00:35.190 --> 00:00:38.580 addresses privacy rights in the state of California. 13 00:00:38.580 --> 00:00:42.360 And the General Data Protection Regulation, or GDPR, 14 00:00:42.360 --> 00:00:45.990 enforces data protection across the European Union. 15 00:00:45.990 --> 00:00:47.400 In all cases, 16 00:00:47.400 --> 00:00:50.430 organizations must adapt their security strategies 17 00:00:50.430 --> 00:00:53.490 to comply with these diverse regulations, 18 00:00:53.490 --> 00:00:57.630 ensuring robust data protection and privacy measures 19 00:00:57.630 --> 00:00:59.760 tailored to different legal requirements 20 00:00:59.760 --> 00:01:02.340 in different geographical regions. 21 00:01:02.340 --> 00:01:06.000 Let's learn more about the Children's Online Privacy Act, 22 00:01:06.000 --> 00:01:07.920 the General Data Protection Law, 23 00:01:07.920 --> 00:01:10.290 the California Consumer Privacy Act, 24 00:01:10.290 --> 00:01:13.170 and the General Data Protection Regulation. 25 00:01:13.170 --> 00:01:15.480 When developing a security policy, 26 00:01:15.480 --> 00:01:17.490 it's essential to involve experts 27 00:01:17.490 --> 00:01:20.760 from legal, human resources, public affairs, 28 00:01:20.760 --> 00:01:22.650 and other key stakeholders 29 00:01:22.650 --> 00:01:26.250 to ensure compliance with relevant laws and regulations. 30 00:01:26.250 --> 00:01:28.650 There are numerous laws and regulations 31 00:01:28.650 --> 00:01:31.320 that our organizations need to follow, 32 00:01:31.320 --> 00:01:34.500 and experts help ensure our security policies 33 00:01:34.500 --> 00:01:38.010 meet or exceed all applicable legal requirements. 34 00:01:38.010 --> 00:01:39.120 For the exam, 35 00:01:39.120 --> 00:01:42.360 you need to be familiar with the various laws, regulations, 36 00:01:42.360 --> 00:01:45.720 and standards that might apply to your organization, 37 00:01:45.720 --> 00:01:47.250 such as GDPR, 38 00:01:47.250 --> 00:01:50.850 which affects how personal data is processed and protected. 39 00:01:50.850 --> 00:01:53.820 Understanding how regulations like GDPR 40 00:01:53.820 --> 00:01:57.600 impact your organization is very important. 41 00:01:57.600 --> 00:02:01.410 In this lesson, we'll discuss a range of regulations, 42 00:02:01.410 --> 00:02:04.500 and while you don't need to memorize everything, 43 00:02:04.500 --> 00:02:07.320 you should be able to recognize key words. 44 00:02:07.320 --> 00:02:10.200 For instance, when you hear GDPR, 45 00:02:10.200 --> 00:02:12.690 you should associate it with data privacy 46 00:02:12.690 --> 00:02:14.940 and personal information protection, 47 00:02:14.940 --> 00:02:18.240 especially when handling data from the European Union 48 00:02:18.240 --> 00:02:19.830 or its citizens. 49 00:02:19.830 --> 00:02:23.760 First, we have the Children's Online Privacy Protection Act, 50 00:02:23.760 --> 00:02:24.900 or COPPA. 51 00:02:24.900 --> 00:02:28.410 COPPA sets specific requirements for website operators 52 00:02:28.410 --> 00:02:29.850 and online services 53 00:02:29.850 --> 00:02:34.140 that are directed toward children under 13 years of age. 54 00:02:34.140 --> 00:02:37.380 COPPA also applies to any website or service 55 00:02:37.380 --> 00:02:40.290 that knowingly collects personal information 56 00:02:40.290 --> 00:02:42.660 from users under 13, 57 00:02:42.660 --> 00:02:46.590 even if the site isn't specifically targeting children. 58 00:02:46.590 --> 00:02:50.130 Essentially, if a company knows it's collecting data 59 00:02:50.130 --> 00:02:52.890 from a child under 13 years of age, 60 00:02:52.890 --> 00:02:54.870 whether intentionally or not, 61 00:02:54.870 --> 00:02:57.900 COPPA requires them to follow strict guidelines 62 00:02:57.900 --> 00:02:59.880 to protect the child's privacy 63 00:02:59.880 --> 00:03:02.160 and secure their personal information. 64 00:03:02.160 --> 00:03:05.790 So let's imagine you are running a website like Facebook 65 00:03:05.790 --> 00:03:08.310 and collecting data from all your users. 66 00:03:08.310 --> 00:03:10.140 You are subject to COPPA. 67 00:03:10.140 --> 00:03:13.110 However, large tech companies like Facebook 68 00:03:13.110 --> 00:03:16.080 often try to claim they aren't bound by this law 69 00:03:16.080 --> 00:03:19.860 because they don't specifically target children under 13. 70 00:03:19.860 --> 00:03:23.010 In fact, when someone creates a Facebook account, 71 00:03:23.010 --> 00:03:24.810 they're asked to enter their birthday, 72 00:03:24.810 --> 00:03:26.340 and if they're under 13, 73 00:03:26.340 --> 00:03:28.980 they can't proceed without parental consent. 74 00:03:28.980 --> 00:03:31.800 However, many kids bypass this 75 00:03:31.800 --> 00:03:34.740 by lying about their age to create an account. 76 00:03:34.740 --> 00:03:37.890 So even if children are lying about their age, 77 00:03:37.890 --> 00:03:41.580 that website Facebook is still subject to COPPA. 78 00:03:41.580 --> 00:03:43.650 Under COPPA, the federal government, 79 00:03:43.650 --> 00:03:45.930 specifically the Federal Trade Commission, 80 00:03:45.930 --> 00:03:50.010 can issue fines of up to $40,000 per violation, 81 00:03:50.010 --> 00:03:51.840 which can add up quickly. 82 00:03:51.840 --> 00:03:54.630 While this could devastate small businesses, 83 00:03:54.630 --> 00:03:57.420 larger companies like Facebook and Google 84 00:03:57.420 --> 00:04:00.720 may not feel the financial impact as much, 85 00:04:00.720 --> 00:04:03.420 making COPPA a topic of debate. 86 00:04:03.420 --> 00:04:06.660 It's important to note that if your product or service 87 00:04:06.660 --> 00:04:08.910 could be used by younger audiences, 88 00:04:08.910 --> 00:04:12.390 COPPA will apply and impose strict requirements. 89 00:04:12.390 --> 00:04:16.020 Second, we have Brazil's General Data Protection Law, 90 00:04:16.020 --> 00:04:17.850 or LGPD. 91 00:04:17.850 --> 00:04:20.430 LGPD sets specific requirements 92 00:04:20.430 --> 00:04:22.530 for how companies and organizations 93 00:04:22.530 --> 00:04:26.010 handle the personal data of individuals in Brazil. 94 00:04:26.010 --> 00:04:29.880 This law applies not only to businesses operating in Brazil, 95 00:04:29.880 --> 00:04:33.630 but also to any company, regardless of location, 96 00:04:33.630 --> 00:04:37.410 that processes personal data from Brazilian residents. 97 00:04:37.410 --> 00:04:40.620 It ensures that businesses follow strict guidelines 98 00:04:40.620 --> 00:04:42.990 regarding the collection, storage, 99 00:04:42.990 --> 00:04:45.270 and usage of personal information, 100 00:04:45.270 --> 00:04:48.240 prioritizing the protection of privacy. 101 00:04:48.240 --> 00:04:51.990 So let's imagine you are running an online service 102 00:04:51.990 --> 00:04:53.550 that collects user data, 103 00:04:53.550 --> 00:04:56.190 including names and email addresses 104 00:04:56.190 --> 00:04:57.870 from Brazilian customers. 105 00:04:57.870 --> 00:05:00.780 Even if your business isn't based in Brazil, 106 00:05:00.780 --> 00:05:02.790 LGPD still applies, 107 00:05:02.790 --> 00:05:06.480 requiring you to obtain clear consent from users 108 00:05:06.480 --> 00:05:08.670 before gathering their information. 109 00:05:08.670 --> 00:05:10.230 Users also have the right 110 00:05:10.230 --> 00:05:14.460 to request access, correction, or deletion of their data. 111 00:05:14.460 --> 00:05:19.230 Non-compliance with LGPD can result in significant fines 112 00:05:19.230 --> 00:05:22.440 up to 2% of your company's revenue in Brazil, 113 00:05:22.440 --> 00:05:26.400 with a maximum of 50 million reals per violation. 114 00:05:26.400 --> 00:05:28.860 This can have serious consequences, 115 00:05:28.860 --> 00:05:31.290 especially for smaller businesses. 116 00:05:31.290 --> 00:05:33.750 So it's important to ensure compliance 117 00:05:33.750 --> 00:05:36.420 if your organization processes data 118 00:05:36.420 --> 00:05:38.130 from Brazilian residents. 119 00:05:38.130 --> 00:05:43.130 Third, we have the California Consumer Privacy Act, or CCPA. 120 00:05:43.290 --> 00:05:46.890 The CCPA gives California residents more control 121 00:05:46.890 --> 00:05:50.100 over the personal data that companies collect from them. 122 00:05:50.100 --> 00:05:53.580 It applies to businesses that meet specific criteria, 123 00:05:53.580 --> 00:05:57.990 such as earning over $25 million in annual revenue, 124 00:05:57.990 --> 00:06:00.450 or those that handle the personal information 125 00:06:00.450 --> 00:06:03.090 of 50,000 or more customers. 126 00:06:03.090 --> 00:06:06.690 Under CCPA, consumers have the right to know 127 00:06:06.690 --> 00:06:09.300 what personal data is being collected, 128 00:06:09.300 --> 00:06:12.480 the ability to request that their data be deleted, 129 00:06:12.480 --> 00:06:15.990 and the right to opt out of the sale of their data. 130 00:06:15.990 --> 00:06:20.040 So let's imagine you are running an online retail site 131 00:06:20.040 --> 00:06:23.340 and collecting data from California-based users, 132 00:06:23.340 --> 00:06:25.530 like names and shopping preferences. 133 00:06:25.530 --> 00:06:29.670 Since your business is required to meet CCPA criteria, 134 00:06:29.670 --> 00:06:31.920 you are required to inform customers 135 00:06:31.920 --> 00:06:33.990 about the data you are collecting 136 00:06:33.990 --> 00:06:36.990 and give them the option to request its deletion 137 00:06:36.990 --> 00:06:38.130 or to opt out 138 00:06:38.130 --> 00:06:41.160 of having their information sold to third parties. 139 00:06:41.160 --> 00:06:43.350 Non-compliance can lead to penalties, 140 00:06:43.350 --> 00:06:48.350 with fines of up to $7,500 per intentional violation. 141 00:06:48.690 --> 00:06:49.530 While these fines 142 00:06:49.530 --> 00:06:52.920 might not significantly impact large corporations, 143 00:06:52.920 --> 00:06:55.470 they could pose a challenge for smaller businesses. 144 00:06:55.470 --> 00:06:56.820 It's important to note 145 00:06:56.820 --> 00:07:01.080 that CCPA applies even if you're not based in California 146 00:07:01.080 --> 00:07:04.770 as long as you handle data from California residents. 147 00:07:04.770 --> 00:07:06.300 Fourth and finally, 148 00:07:06.300 --> 00:07:10.137 we have the General Data Protection Regulation, or GDPR. 149 00:07:10.137 --> 00:07:14.070 The GDPR is one of the biggest and best requirements 150 00:07:14.070 --> 00:07:16.710 in terms of consumer privacy protections. 151 00:07:16.710 --> 00:07:20.190 GDPR is a law created by the European Union 152 00:07:20.190 --> 00:07:22.920 and enforced by the data protection authorities 153 00:07:22.920 --> 00:07:25.620 in each European Union member state. 154 00:07:25.620 --> 00:07:27.510 Here's how GDPR works. 155 00:07:27.510 --> 00:07:31.440 It states that personal data cannot be collected, processed, 156 00:07:31.440 --> 00:07:35.640 or retained without the individual's informed consent. 157 00:07:35.640 --> 00:07:38.760 Informed consent means that the data is collected 158 00:07:38.760 --> 00:07:41.430 and used only for the specific purpose 159 00:07:41.430 --> 00:07:44.700 clearly explained to the user in plain language, 160 00:07:44.700 --> 00:07:46.800 not hidden in legal jargon. 161 00:07:46.800 --> 00:07:48.990 For example, if a website asks 162 00:07:48.990 --> 00:07:51.270 for your name, email, and address 163 00:07:51.270 --> 00:07:53.460 to sell and deliver you a product, 164 00:07:53.460 --> 00:07:56.400 then that company selling and delivering the product 165 00:07:56.400 --> 00:07:58.320 is their stated purpose. 166 00:07:58.320 --> 00:08:00.990 They can't send you marketing materials later 167 00:08:00.990 --> 00:08:03.060 unless you agree to allow them 168 00:08:03.060 --> 00:08:05.400 to send you those marketing materials. 169 00:08:05.400 --> 00:08:08.700 The statement allowing the sending of marketing materials 170 00:08:08.700 --> 00:08:12.270 must be clearly stated at the time of purchase. 171 00:08:12.270 --> 00:08:15.090 GDPR also gives users the right 172 00:08:15.090 --> 00:08:17.850 to withdraw their consent at any time, 173 00:08:17.850 --> 00:08:21.480 as well as the ability to inspect, amend, 174 00:08:21.480 --> 00:08:24.990 or erase any data the organization holds about them. 175 00:08:24.990 --> 00:08:28.290 This is commonly known as the right to be forgotten. 176 00:08:28.290 --> 00:08:30.720 If you are a resident of the European Union, 177 00:08:30.720 --> 00:08:33.720 you can contact the company that collected your data 178 00:08:33.720 --> 00:08:37.170 and request that all data they have on you be deleted, 179 00:08:37.170 --> 00:08:39.720 and they are legally required to comply. 180 00:08:39.720 --> 00:08:43.590 This law offers strong protections for European citizens. 181 00:08:43.590 --> 00:08:47.700 However, if you're an American, GDPR doesn't apply. 182 00:08:47.700 --> 00:08:51.210 So companies aren't obligated to honor the same rights 183 00:08:51.210 --> 00:08:52.800 unless they choose to. 184 00:08:52.800 --> 00:08:55.290 But you can always request data deletion, 185 00:08:55.290 --> 00:08:58.020 but those companies aren't legally required 186 00:08:58.020 --> 00:09:00.210 to actually delete your data. 187 00:09:00.210 --> 00:09:04.440 So remember, the Children's Online Privacy Protection Act 188 00:09:04.440 --> 00:09:06.780 is a US law that protects the privacy 189 00:09:06.780 --> 00:09:09.450 of children under the age of 13 190 00:09:09.450 --> 00:09:12.450 by requiring websites and online services 191 00:09:12.450 --> 00:09:13.950 to follow strict guidelines 192 00:09:13.950 --> 00:09:16.380 when collecting their personal information. 193 00:09:16.380 --> 00:09:20.130 Brazil's General Data Protection Law applies to any company 194 00:09:20.130 --> 00:09:22.920 that processes data from Brazilian residents, 195 00:09:22.920 --> 00:09:25.530 setting strict rules on how personal data 196 00:09:25.530 --> 00:09:28.110 is collected, stored, and used, 197 00:09:28.110 --> 00:09:30.840 with significant fines for non-compliance. 198 00:09:30.840 --> 00:09:33.060 The California Consumer Privacy Act 199 00:09:33.060 --> 00:09:35.730 gives California residents in the US 200 00:09:35.730 --> 00:09:37.950 control over their personal data, 201 00:09:37.950 --> 00:09:41.190 allowing them to know what data is being collected, 202 00:09:41.190 --> 00:09:44.670 request deletion, and opt out of data sales. 203 00:09:44.670 --> 00:09:48.000 The General Data Protection Regulation is an EU law 204 00:09:48.000 --> 00:09:51.330 that requires informed consent for data collection, 205 00:09:51.330 --> 00:09:54.030 gives users the right to access, amend, 206 00:09:54.030 --> 00:09:55.380 or delete their data, 207 00:09:55.380 --> 00:09:56.550 and is enforced 208 00:09:56.550 --> 00:09:59.370 by data protection authorities across Europe. 209 00:09:59.370 --> 00:10:03.180 These laws and acts protect individuals' privacy 210 00:10:03.180 --> 00:10:07.233 and ensure that companies handle personal data responsibly.