Unbeknownst to many consumers, the country’s most advanced consumer privacy act just went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) outlines some of the strongest protections for individual consumers and the companies they choose to do business with. However, some early reporting shows that a lot of people are still not aware of the new legislation.


CCPA provides new protections in the event of a data breach, new tools for consumers to find out exactly what information a company has collected and sold or shared and more. Under the CCPA, consumers also have the right to delete some personal information and opt-in for children. In the CCPA personal information is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information under the CCPA does not include publicly available information.

 Companies doing business in California — whether they are located there or not, or simply have customers or users who reside in the state — must provide more than just the proof of information they have collected. If an individual consumer does not want their information sold to third parties, the CCPA states they have the right to opt-out and the companies must comply. Failure to comply could result in significant fines, penalties and damage awards of up to $7,500 per consumer.

Image of business with notice of CCPA

That has been a sticking point for a number of businesses, though.

There are questions about how businesses will comply with the do not sell requirements. Some companies are claiming that if they “share” their users’ data with an outside company, they are in compliance. The supporters of the CCPA have said selling or sharing is the same thing, though companies like Facebook, CVS, Indeed and others argue their methods of providing users’ information to outsiders does not violate the CCPA.

Image of Conde Nast disclosure of CCPA

Some of the other responsibilities of businesses include a child opt-in requirement, a website notice requirement, a duty to educate, vendor agreements, third-party transfers and cybersecurity protections to prevent a data breach. In the event of a data breach, consumers can now sue to recover up to $750 in costs per data breach. For more information about consumer rights in the event of a data breach or other CCPA rights, click here.

Image of business disclosure of CCPA

Though the California Consumer Privacy Act went into effect on January 1, businesses have until July 1 to comply before enforcement—and presumably, punitive action—begins. It will be interesting to see both how this plays out for businesses that make a lot of money by selling their customers’ information, and how many other states follow suit with legislation of their own.

Sign Up For Identity Theft and Data Breach News

Sign up for the TMI Weekly to stay in the know about potential threats to your identity/privacy and tips to keep you safe. Our monthly breach alert keeps you posted on the latest trends and activity in the world of breaches.

Free Identity Theft Assistance

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  

You might also like…

Save the date for this year’s Data Privacy Day! In the current always-connected digital age, it can be easy to take privacy for granted. Apps, websites, social media and even games want everything from permission to access our contacts list to invasive amounts of personal information. Even signing up for a new account can mean turning over your name, email address or birth date.

Too often, though, consumers do not stop to think about why an app wants to use your friend’s list or why a game needs access to your device’s photos. We simply click through the terms of use and are wondering later on how hackers stole our data in a data breach or why a company sold our information to third-parties.

StaySafeOnline, which is powered by the National Cyber Security Alliance, will be hosting its annual Data Privacy Day on Tuesday, January 28. This live-streamed event will begin at 1:00 p.m. EST/10:00 a.m. PST and will feature industry experts speaking on a variety of privacy-related topics.

One session of the event will be important to a lot of different stakeholders, that being the discussion of the new California Consumer Privacy Act, which is set to take effect this month. There will also be panels on the effects of the GDPR regulations that have already gone into effect in Europe, as well as discussions on how privacy affects both businesses and individuals in a worldwide-connectivity landscape.

More importantly, one of the goals of Data Privacy Day is to look ahead to what the future of the privacy and cybersecurity landscape might look like. A few years ago we might have never envisioned mobile games that could leak your personal information online or social media apps that buy and sell users’ data as a commodity. Now, with the first days of 2020 already behind us, it is both exciting and a little unnerving to imagine what privacy will really mean in the coming decade. To participate in the online live stream of Data Privacy Day 2020, visit StaySafeOnline.org and click on the Data Privacy Day tab.

You might also like…

2020 Trends for Identity Theft, Data Privacy, and Cybersecurity

Begin Your 2019 Tax Filing to Thwart Tax Return Fraud

Don’t Get Grinched by the Ellen Facebook Scam

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam

If you are a fan of the Facebook ten-year challenge, you are probably excited about its recent comeback. As more people come to terms with the uncertainty surrounding social media use and privacy, many users are starting to take a more cautious approach to how and what they share. From changing their privacy settings to safeguarding the names and images of their children, a lot of users have become more knowledgeable—and therefore more concerned—about what happens to their content once it is posted. If issues like Facebook’s relationship with Cambridge Analytica taught us anything, it is that someone is always willing to pay for information about us.

For example, the Facebook ten-year challenge that swept through Facebook in the early part of 2019 is back, and it has left a lot of people asking what the social media giant is really doing with the images. If you have not seen it yet, users are encouraging one another to post a photo from 2009 and another one from 2019, presumably in recognition of the end of this decade. What is really behind the Facebook ten-year challenge?

A growing number of people have speculated that it is an attempt by Facebook to educate its facial recognition algorithms in the area of age-progression by looking at a ten-year age difference among users. That does not sit well with some privacy-minded people. There has been a lot of outcry over companies like Facebook, Amazon and others who have produced software that has stronger-than-ever capabilities for recognizing faces in a crowd. Amazon has even sold its software, Rekognition, to law enforcement agencies and has just announced brand-new features.

Even some tech industry insiders have been alarmed by the potential for grabbing up social media posts and using them to develop software that some see as an invasion of privacy. However, the Facebook ten-year challenge has led others to try to put a damper on the runaway conspiracy. After all, doesn’t Facebook already own countless photos of its users? What would be the benefit of having users simply post those same images again? Plenty, according to Wired magazine writer Kate O’Neill. Facebook can much more easily “mine” data when they have a fresh set of content that was taken a precise number of years apart.

In this case, it is not about what social media platforms already have access to or doing their legwork for them. Instead, the cause for alarm is more about what users are willing to post without really thinking through the potential for harm. Whether it is an endless stream of food pictures or the GPS coordinates to our children’s schools, we all need to be more aware of what it is that we are posting and how someone else could use it for their own purposes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Hacked Disney+ Accounts Are Being Sold Online

Our Holiday Shopping Tips to Keep You Cybersafe

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

If you had told someone even ten years ago that a criminal sitting on the other side of the world could steal their credit card information with a simple email, they might have written you off as a conspiracy theorist. Only a few decades ago, identity theft was not even recognized as a crime, let alone something that the police could actually investigate and prosecute. However, as new technology emerges that makes our lives more convenient and more connected, new virtual reality privacy concerns can also appear.

New Tech, New Concerns

That is the current understanding of innovations like virtual reality and augmented reality. These high-tech, digital forms of media—used for everything from education and business to entertainment—create new virtual reality privacy dangers by placing the user in entirely fabricated situations and locations, usually thanks to special software that interacts with their visual hardware.

Popular games like Pokémon Go, for example, allow the player to walk around in the real world while finding virtual characters in their actual surroundings.

Misuse of Your Personal Information

By giving access to your phone, tablet or computer to another platform in order to participate in these kinds of activities, you are opening yourself up to potential new virtual reality privacy concerns. Any time someone else can access your stored photos, camera and Facebook account or friends list, there is a possibility of them misusing that access.

Even worse, any time a platform is free to use, it is a sure sign that your information is being sold to third-parties. You have no way of knowing who those other companies are or what they plan to do with your information.

Virtual Reality User Permissions 

It is important that companies who utilize these technologies understand the new virtual reality privacy concerns of interacting with consumers in this way. However, it is equally important that users know how their information could be compromised. It is a reminder that we all must be cautious about the latest gadgets and games, and to understand what permissions we are granting when we create an account or allow access to our information. If you cannot verify what a company can do with your connection, it is better to play it safe and avoid interacting.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Adobe Account Information Leaked After Server Left Unsecured

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

Be on the Lookout for 2020 Census Scams

One of the most dangerous forms of cyberattack might be phishing attacks, mostly because they are easy to pull off with any kind of high-tech skill and because too often, they work. In a phishing attack, the criminal sends you some kind of message and pretends to be someone they are not. It might be your boss, a Nigerian prince fleeing the country, your favorite retailer or even a friend. The message might look and sound authentic, but the sender is not.

Instagram has launched a new feature that will try to curb phishing attacks via its platform. One of the more common versions of an attack, at least when it masquerades as an online platform or website, is the claim that you must verify your login credentials in order to secure your account. Another popular twist is to claim that someone has logged into your account from another device, and you need to “click this link” if you were not the one who did it.

Picture of Instagram's new privacy setting on a mobile device

Image courtesy of Instagram

Image courtesy of Instagram

Now, users will be able to press the settings button on their Instagram screens and find a list of emails with what company sent them, along with the date and the reason. If you receive an email in your inbox and it is not in your Instagram app’s settings, then you will know it did not come from the company.

Image courtesy of Instagram

This small step can make a big difference in preventing identity theft and account takeover from phishing attacks. However, it will only work if users think to take a peek and compare the lists of emails. Until other platforms take similar precautionary measures, there are a few helpful hints you can remember to block cybercriminals:

1. Never click a link, open an attachment or download any content from an email unless you are expecting it or have verified it with the sender. Even if it appears to come from someone you know, that person’s email account could have been hacked or copied. Check with the sender before taking any action.

2. Never verify your identity, login credentials, account numbers or any other sensitive data for someone who calls, texts, emails or sends a private message. Many companies have come out and stated they will never ask you for this information.

3. Never comply with strange requests, even if you think you know the sender, without verifying the request verbally. It might be changing account numbers, changing a password on an account, sending funds to a different account or even buying gift cards. If you receive a request that in any way involves money or sensitive information, dial the phone and call the sender first using a phone number you looked up for yourself.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Identity Theft Resource Center Sees Organizational Growth

TikTok Platform Found to Be Full of Scams and Fake Accounts

Advertisement Scams

Facebook says using real names helps them keep the most popular social networking site in the world safer. By confirming identities, Facebook states it can help stop or minimize the risk of scams, phishing, abuse and foreign political influence.

In an effort to protect your identity from threats, Facebook is asking some users to send personal identifying information (PII) to prove users are who they say they are. This can happen for general users as well as advertisers. With obvious concerns for the safety of one’s identity, this blog details what, why and how Facebook uses this information.

What This Means for Users

For the average Facebook user, the company might ask you to provide a form of personal identification if you have lost access to your account, they detect suspicious activity or you need to confirm your Facebook name. Facebook will prompt you for verification when a concern arises on your account.

What Must I send to Facebook?

Facebook asks for PII that either includes your name and birth date or name and photograph. This could be a driver’s license, birth certificate, passport, green card or a tax identification card (view the full list here). If you do not want to send Facebook one of the items listed above for personal identification, you do have the option to send additional documentation like bank statements, credit cards, medical records, military IDs, religious documents or a social welfare card. You must provide two documents from this list, and Facebook still might require photo and birth date documentation.

Why Must I send Personal Information to Facebook?

Facebook claims they ask for personal identification to protect your identity and the overall safety of the network ecosystem. If you submit a complaint that you have been locked out of an account, for example, they want to make sure they grant access back to the right person and not an impostor. Of course, there are less serious incidents when it comes to account safety, like requesting to reset a password through email verification.

Another instance Facebook might ask you for personal identification is when you request to change your Facebook name. Whether you just got married, decided to stop or start going by a nickname or are removing your husband or wife from your joint account, Facebook could ask you to verify your identity first.

Technically Facebook users are supposed to go by their real name, even if this rule was not enforced in the past. For this process, Facebook requires the name on your account and the name on your personal identification to match.

How do I Provide my ID to Facebook?

Facebook asks users to scan or take a photo of their personal documents. Then upload them when prompted while trying to access their account.

Facebook will never ask you for your password or to provide identification in an email, or send you a password as an attachment. Emails sent from scammers posing as Facebook often include notifications about platform engagement, community standards and security warnings. Do not engage with Facebook emails if you are unsure of the content. Log directly into Facebook from a secure browser to check for any notifications regarding your account.

How does Facebook Protect the Information I Send?

Facebook claims to treat user personal information with the proper security standards. Their website says, “After you send us a copy of your ID, it’ll be encrypted and stored securely. Your ID will not be visible to anyone on Facebook.”

Facebook does ask users to allow them to “increase their efforts” by giving permission to store your encrypted personal identification for up to one year, with the hope of preventing fake accounts and imposters. To prevent Facebook from using your photo in this instance, visit your security settings.

A published Facebook statement emphasizes their concern for user privacy stating,

“We’ll use your ID or official document to confirm your identity. We’ll also use it to help detect and prevent risks such as impersonation or ID theft, which helps to keep you and our Facebook community safe. It will not be shared on your profile, in ads or with other admins of your Pages or ad accounts. After we’ve confirmed your identity, we’ll delete your ID or document within 30 days.”

Community Reaction

One Facebook user posted on the company’s forum on behalf of her father, who could not get into his account after resetting his password saying,

“Now when he goes to log in, he is being asked for a scanned document to verify his identity. Honestly, I think this is ridiculous! He is being asked to submit a picture of his birth certificate, driving license or marriage certificate. I have never been asked for anything like this in all my time on Facebook and I think it is ridiculous to ask people to do this. No wonder there is so much identity fraud!!”

This post, from 2013, is not an isolated incident and addresses the exact concerns of the Identity Theft Resource Center. When you share your PII with companies or individuals, you increase your risk of identity fraud and theft.

Some users reported after providing the required personal identification documents, they were still not granted access to their accounts. Other users are at a loss for how to help their child access his or her account without exposing them to dangers. Out of concern for privacy when creating an account, some users did not use their real birthday or name and now do not have proper personal identification documentation. Those users will be forced to change the provided information to what matches their legal records.

In response to a forum complaint, a member of Facebook’s Help Team provided the following statement:

“This usually happens when we detect suspicious activity or security threats to your account. We take your security very seriously, so before we can provide you with any information about this account or give you access to it, we need to make sure it belongs to you.”

ITRC’s Response

Before providing your PII to Facebook, or any other company, you need to assess the risk involved. By sharing your confidential legal documentation for storage on a third-party website, no matter for how long, your risk for identity theft and fraud increases. As we know too well, secured servers are still susceptible to data breaches and cyber attacks. We urge users to evaluate how important using Facebook is to them, the value it provides and the risk they are willing to take to continue using the social platform.

Need help? Watch our privacy videos or chat with an advisor today!

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

What Does The Facebook Settlement Mean for Consumers?

Facebook Clear History Privacy Feature to Launch This Year

Change in Facebook Privacy Policy Ordered By the FTC

It is no secret that public Wi-Fi connections can leave you vulnerable to hacking and identity theft. However, the old wisdom of avoiding common sources of free public Wi-Fi connections is not enough. These threats are not limited to places like coffee shops, hotels, airports or even your doctor’s office. These days, more and more businesses are drawing customers with this kind of perk, and hackers have taken notice.

Passwords are also important. Some businesses reserve their free public Wi-Fi for their own customers, and as such, a password is required in order to connect. Other companies, though, do not bother with the hassle of maintaining, distributing and changing their passwords. Their guest connections are left wide open. That means your device could attempt to connect even without you taking steps to do so.

Here are a few more places where available public Wi-Fi connections might not be safe:

Retail shops

More and more businesses, especially those that encourage their customers to browse, offer free public Wi-Fi in-store. This is great for families with children, spouses or friends who need to wait on someone and even customers who want to download in-store specials and coupons. Remember, though, that connecting once intentionally can trigger that same connection any time you are near that store in the future, depending on the settings in your device.


Checking Facebook or catching up on emails while waiting in the school pickup line is a great way to multi-task, but it can also leave you at risk if you are able to connect over the school’s public Wi-Fi. Schools have long been a hot target for hackers due to the high volume of stored data, especially on younger students who have a clean credit report.

Jury lounge

Some courts have launched free public Wi-Fi in the jury duty lounge as a way to thank citizens for their service while also helping members of the jury pool be productive while they wait for their turn to serve. The connection in the jury lounge is password-protected but will be in use by a wide variety of people (including hackers).

Entertainment venues

Swimming pools, bowling alleys and arcades are providing free public Wi-Fi connections for their guests, especially parents who must wait with their kids. It is a way to make the day more enjoyable for everyone, but it can also mean hackers targeting families who are using portable devices to connect, take pictures and send updates to social media.

Common areas

Just because there are more places where your public Wi-Fi connection could lead to a hacker, that does not mean criminals have given up on their old haunts. Do not let your guard down in more common places like coffee shops and airports, and make sure your device settings prevent you from connecting automatically.

Consider using a VPN

A virtual private network is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing your online activity. VPN is an installed piece of software on your laptop or desktop that is either stand-alone or bundled with your antivirus or security software.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Yahoo Breach Settlement Proposed for $117.5 Million

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 


Thanks to a new settlement valued at $170 million, child privacy on the internet just got a little bit safer. The Federal Trade Commission (FTC) just announced the largest-ever settlement of a privacy claim against Google’s YouTube for illegally collecting data on children and using it to target young viewers with advertising. This is the largest agreement of its kind since the Children’s Online Privacy Protection Act (COPPA) was enacted in 1998.

YouTube’s stance on the child privacy matter was that the increase in the number of shared devices among family households and the availability of child-friendly content on its site means more kids might be viewing videos online. However, that does not mean the company is able to determine whether or not the viewer is a minor. If the video played on a screen, regardless of the age that content was tailored for, it may or may not have been viewed by a child.

The FTC stated that YouTube strategically positioned itself with toymakers and other companies to promote advertising on videos that target children, which violates the COPPA law.

As a result of the settlement, not only will Google pay the fine, they will also begin to take steps to prevent targeted advertising and data collection on content that is deemed to be for children. The FTC intends to conduct ongoing “sweeps” of YouTube content to ensure that this happens.

Not everyone with a say in the matter agrees with the YouTube child privacy settlement. There are some lawmakers and FTC officials who feel like this punishment is just slap on the wrist, and that there are no guarantees Google and YouTube will take appropriate action.

For many parents, targeted advertising might not seem like a major issue. After all, there are ads for children’s products and services scattered through the cable television programs that children watch. The difference here is in the intent. While YouTube may have taken steps to ensure that the ads were child-appropriate, they did so in violation of the law. That means other content could contain targeted ads aimed at children while not being kid-friendly if YouTube is not enabling stronger controls and protocols to prevent it.

For its part, YouTube’s statement on the child privacy settlement still encourages parents to limit their young children’s streaming time its kid-friendly dedicated app.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Things to Consider When Using VPN

Should You Consider Credit Monitoring Services as Part of a Breach?