California Consumer Privacy Act (CCPA): Overview, Importance and Stay Complaint!

July 2, 2020

Data privacy has become a prime concern in the modern IT world.

In recent years, data privacy has gained huge prominence owing to the increasing number of cyberattacks that led to massive personal data breaches.

In 2019, the total number of data breaches in the US amounted to 1,473 with over 164.68 million sensitive records exposed.

In response, governments across the world have started developing regulations to strengthen consumer privacy protection.

The introduction of the EU’s General Data Protection Regulation (GDPR) in 2018 marked the beginning of the new era of data privacy. It served as a stepping stone for other governments to create cohesive data privacy regulations.

Inspired by the GDPR, the State of California has come up with its own data privacy law for its citizens, i.e., California Consumer Privacy Act (CCPA).

CCPA, which came into effect from January 1, 2020, is the first of its kind in the US.

The CCPA gives the residents of California the right to know how businesses are handling their personal information.

The new law mandates companies to inform consumers about the data collected or shared while giving them the right to access, control, delete and opt-out.

Which Businesses are Affected by CCPA?

Any business that processes or handles the personal information of California residents are held accountable to CCPA if they fall under any one of the following criteria

Annual gross revenue of at least USD 25 million
Handles more than 50,000 consumers’ data
Generate more than 50% of revenue from selling data

However, the following businesses are exempted from CCPA.

Businesses already under HIPAA
BFIs covered by Gramm-Leach-Bailey
Credit reporting agencies covered by the Fair Credit Reporting Act

The companies that are accountable to CCPA should prepare privacy notices to send to all their customers that reside in California.

The notice should contain the following information

How consumers’ information is collected
How the collected data will be used
The list of third-party email addresses with whom the data is shared
Details about the consumers’ rights under CCPA

Consumer Rights Under CCPA

The CCPA facilitates a few benefits to Californian consumers. They include

Right to ask the company to delete personal information
Right to opt-out of personal information shared/sold by the company
Right to request disclosure of data collected by the company
Right to equal services and price even if they exercise any of the privacy rights under CCPA

What Personal Data is Covered by CCPA?

CCPA defines personal information as the “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The following is considered as personal information

Direct Identifiers: Real name, alias, postal address, social security numbers, driver’s license number, passport number
Unique Identifiers: Cookies, IP address, email address, account names
Biometric Data: Face and voice recordings
Geolocation Data: Location history
Internet Activity: Browsing history, search history, information regarding consumer’s interaction with a webpage or app
Sensitive Information: Health data, personal characteristics, behavior, religious or political convictions, sexual preferences
Professional or employment-related information
Education Information

The businesses will be liable for penalties if they share or process any of the information mentioned above without the consumer’s consent.

CCPA Penalties

The CCPR proposed hefty penalties if companies fail to comply with the new regulations. The unintentional violators face a USD 2,500 fine, while intentional violators will have to pay USD 7,500.

How Companies Can Meet CCPA Compliance Standards?

Businesses that are already compliant with the GDPR will find it easier to comply with the CCPA law. Here, we bring some tips that help companies to meet the CCPA’s security and privacy requirements and prevent possible penalties and civil lawsuits.

1) Preparation

The first step in complying with CCPA is that the organizations should identify and classify consumers’ date to find whether if it falls under CCPA guidelines.

Check whether the data requires access permission from the consumers. Identify the rarely accessed folders and old personal data as they may bring unnecessary security risks.

2) Implementation

After the personal data is identified and classified, implement the right access permissions. Try to implement role-based access controls.

Archive or delete any consumer information for older than 12 months. Implement security protocols to monitor personal data against outside threats and unauthorized access.

3) Maintenance

Continually review the privacy and security protocols and adjust them on par with the ever-changing cybersecurity landscape. Regularly evaluate old and new data to ensure it is properly organized and protected.

CCPA Vs. GDPR: What’s the Difference?

CCPA Vs. GDPR: What's the Difference?

Both the CCPA and the GDPR aims to empower their individuals with certain rights regarding how their personal information is collected and used.

However, both laws differ in some significant ways, particularly regarding the application scope, the nature and extent of data collection limitations, and rules concerning accountability.

GDPR mandates businesses to have a legal basis for processing personal data, whereas CCPA does not have any such regulations.

CCPA	GDPR
Relates to personal data of EU citizens	Relates to personal data of Californians
Applies for all for-profit firms that have USD 25 million in gross revenue, acts on personal data of > 50,000 users and earns 50% of its revenues by selling data	Applies for all business with >250 employees
Extends to information traced back to households or devices	Mostly similar to CCPA protocols in data protection
Allows users to express their consent to the sale of their data	Doesn’t explicitly let consumers deny the sale of their data
Consumers can’t restrict but can only opt-out	Consumers can restrict data processing
Depends on the offense, penalties can go up to USD 7500 per affected individual	Fines can go up to 4% of a company’s revenues

What CCPA Means to Third-party Associates?

The organizations that share/collect the personal information of Californians are not the only businesses affected by the CCPA. All third-party associates are also compelled to comply with CCPA.

“In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties,” says Richard Vestuto at Deloitte Transactions and Business.

The businesses should ensure that all their third-party associates are compliant with CCPA standards.

The companies should review all third-party associates with access to personal information and place the security protocols on par with the CCPA.

The Future of Data Privacy:

The CCPA, the first of its kind in the US, has fueled the other US states to draft their privacy laws for their citizens. There are already several CCPA copycat laws in the US such as Nevada’s privacy law, Washington State’s Privacy Bill and New York’s Privacy Bill.

Follow the path of the GDPR and the CCPA, over 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws.

According to Gartner, 65% of the global population will have their personal information covered under modern privacy regulations by 2023, up from 10% today.

So, now is the best time for companies to align their data security and privacy practices with the regulations deployed by the state or by the federal government.

In Conclusion
Privacy is becoming a reason for customers to a product. So, businesses must build a holistic and adaptive privacy program to increase consumer trust. The executive leaders should be proactive in standardizing operations in accordance with the privacy laws.

Businesses should be aware of the current privacy laws, future regulations and different standards to sustain compliance. Are You CCPA Compliant? Contact Stealthlabs!

How Does Stealthlabs Help With the CCPA?

Stealthlabs is a US-based Information Security Service and Solutions provider with strong domain expertise in helping companies comply with various data security laws and compliance standards. Over offerings cover a plethora of information security compliance frameworks including GDPR, CCPA, PCI DSS, HITECH, and NERC CIP.

More Information Security Articles: