The California Consumer Protection Act (CCPA) went into effect on January 1, 2020. It’s a fairly landmark piece of legislation that aims to protect the personal data of Californians. More importantly, it seeks to give Californians more control over that data. In some ways it’s the American version of Europe’s General Data Protection Regulation (GDPR). And much like GDPR, its effects will reach far beyond its own borders.
Any company that does business in California will be required to comply with the CCPA. And rather than create multiple systems, many companies will just use compliance with the CCPA as a baseline and the right will be given to citizens of other U.S. states, de facto. Discussion of a national U.S. data privacy law is in its early stages, too.
This article will explain what the CCPA is, who it affects, and why compliance is critical for ALL organizations.
What is the California Consumer Protection Act?
The California Consumer Privacy Act is a new piece of data privacy regulation aimed at protecting the personal data of California’s citizens. The CCPA aims to give Californians five new rights:
1) The right of Californians to know what personal information is being collected about them.
2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
3) The right of Californians to say no to the sale of personal information.
4) The right of Californians to access their personal information.
5) The right of Californians to equal service and price, even if they exercise their privacy rights.
For the sake of this discussion, we’ve boiled those rights down to three specific goals, which we’ll cover more in depth in just a moment.
- The right to know
- The right to say, “no”
- The right to protection
So, what does that mean?
The Right to Know
Any organization conducting business in California is required to inform its customers what data it’s collecting and what that data is being used for. This is very similar to the requirements under GDPR, where businesses need to notify users at the point of collection, in addition to providing detailed information about how they use data in their privacy policies. Additionally, Californians now have the right to request a complete record of all data you’ve collected on them over the past 12 months.
The biggest difference is consent. CCPA requires companies to allow consumers to “opt out.” GDPR requires companies to get consumers to opt in.
The Right to Say, “No”
While this doesn’t go so far as other regulations – the GDPR provides EU citizens with a far more robust “right to be forgotten” – the CCPA does allow Californians to request the deletion of some data, as well as to refuse or “opt out” of organizations selling their data. Or sharing it.
The Right to Protection
If a company either doesn’t comply with a Californian’s wish not to have their information shared, or if it shares the information accidentally – that would be a data breach – Californians now have a legal avenue to sue. And according to the Employment Opportunity Commission, California is one of the most litigious states in the U.S. Also, you may not discriminate against anyone that exercises their rights under the CCPA.
Who Does the CCPA Affect?
We mentioned this at the outset of the article, but it bears repeating. The CCPA is written to protect citizens of the state of California. However, due to the global nature of the modern economy – and the ubiquity of the internet – this AFFECTS any company or organization that has a business footprint in California and meets one of the following requirements:
- Earns annual gross revenues exceeding $25 million
- Annually buys or sells personal data from 50,000+ consumers or households
- Earns more than half of its annual revenue from selling personal data
As a result of this, these rights are inevitably going to be expanded to U.S. citizens that live beyond California’s borders. Most companies aren’t going to create separate systems and standards for people from one US state. But that comes with a couple of caveats.
First of all, American companies are going to need to be acutely aware of the legal requirements stemming from CCPA. Hauling a US company to court in California is not a difficult task and the legal climate there is… unique. In reality, it’s more just awareness that’s needed as California allows companies to “cure” violations within a few weeks of them being reported (more on this in a moment). For international companies, things get a little bit dicier on account of the potential difficulty in enforcing any legal action. But as we’re discovering with GDPR – enforcement on the international stage isn’t impossible.
Also, the right to sue a company over a data breach isn’t really landmark – if you live in California, you probably have that right now, but this new regulation will make those cases easier.
Regardless of all this, we can’t state enough that complying with CCPA really isn’t all that onerous for businesses. As we’ll show you in a moment, most of it is just following best practices. And anytime you’re looking for a reason NOT to comply with a regulation – it’s generally not a good look.
What Does the CCPA View as Personal Data?
Personal Information, Personal Identifying Information, Personal Data – much like the different names we use for it, the definitions differ from regulation to regulation, too. Here’s how the CCPA defines “Personal Information”:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Now, before we get into what this definition DOES include, let’s discuss what it doesn’t: publicly available information. Personal data must be collected by the company in question directly from and about California consumers.
“Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. Whereas GDPR is much more interested in data ownership and protection, as well as rights of deletion, CCPA is primarily concerned with the sale of personal data.
It also contains some amusingly specific data points that constitute personal information. Arguably the best of which is protections for olfactory data – as in, relating to a sense of smell. But let’s not get distracted by how one digitizes scents. Here’s what the CCPA includes in its “non-exhaustive” list:
• Identifiers – real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
• Characteristics of protected classifications under California or federal law.
• Commercial information – including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Biometric information.
• Internet/electronic network activity information (including, but not limited to) – browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
• Geolocation data.
• Physical data – Audio, electronic, visual, thermal, olfactory, or similar data.
• Professional or employment-related data.
• Education information – information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act
• Inferences – drawn from any of the information identified to create profiles about consumers reflecting the consumers’ preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
One more thing, the CCPA refers to personal information as identifying individuals and “households.” But it also makes no attempt to define the term “household.” The standard legal definition of household is:
Individuals who comprise a family unit and who live together under the same roof; individuals who dwell in the same place and comprise a family, sometimes encompassing domestic help; all those who are under the control of one domestic head.
Who knows if California’s definition of household lines up with this one – they literally haven’t told us.
CCPA vs GDPR – What’s the Difference?
Many people view the CCPA as the U.S. corollary to GDPR. That’s… not exactly true. There are two big differences between the two regulations. First, as stated above, CCPA is more focused on the sale of personal information whereas GDPR is a much more holistic approach to data rights and digital privacy, in general.
Second, the United States and Europe have contrasting views when it comes to the rights of corporations vs. individuals. The EU is much more focused on rights and protections for the individual. The EU has actively prosecuted anti-competitive practices from giants like Google and Facebook, while also heavily penalizing companies for violating EU citizens’ data rights.
In the U.S. corporations ARE individuals as is borne out by several landmark judicial decisions. Corporate elements in the U.S. have effectively lobbied against all kinds of regulation and oversight. In fact, those same entities made a hard push – even into the final days – to water down the CCPA. Case in point, the CCPA includes provisions that offer relief to offending companies – a topic we’ll cover in a couple of sections.
Here’s a quick visualization on the differences between GDPR and CCPA:
|
California Consumer Protection Act (CCPA) |
General Data Protection Regulation (GDPR) |
|
Protects Californians |
Protects all EU data subjects |
|
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. |
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
|
Companies with revenues exceeding $25 million, or selling personal data as a core function of their business. |
All “Data Processors” and “Data Controllers,” meaning anyone collecting or processing personal data. |
|
No data minimization mandate. |
Data minimization required. |
|
No “Right to Correction.” |
“Right to Correction” required. |
|
Organizations may collect personal information but are required to offer consumers a way to “opt out.” |
Organizations must receive affirmative consent before collecting or processing personal data. |
|
No Data Protection Officer (DPO) required. |
Data Protection Officer (DPO) required. |
|
$7500 for intentional violations |
€20,000,000 or 4% GDP for violations (large org) €10,000,000 or 2% GDP for violations (small org) |
What Happens If I Don’t Comply With CCPA?
Part of CCPA compliance involves making your Data Protection Officer wear a bomb collar that, regrettably, detonates following a company’s third violation.
We’re kidding, of course. There is no Data Protection Officer, nor any other designated employees under CCPA. There are also no bomb collars. But there are fines. Plenty of fines.
• Violations with Intent - $7500
• Accidental Violations - $2500
• Class Lawsuits - $100-750/customer
The California Consumer Protection Act went into effect on January 1, 2020, but the California Attorney General – who is responsible for enforcing the CCPA – won’t begin penalizing companies for another six months.
The larger, more existential question is how can this even be enforced? And one of the biggest reasons for many privacy advocates’ skepticism is the fact the CCPA contains a “cure provision” for organizations facing class action suits from disgruntled Californians. Offending companies are liable if they fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
If a plaintiff just seeks “actual” damages, meaning money they can prove they lost as a result of a breach, then the suit can proceed without interruption. However, if the plaintiff chooses to go the statutory route, and attempt to collect a larger prize – something most class action suits will attempt – the offending company will receive a 30-day notice from the Attorney General before the suit proceeds.
The 30-day notice provides the defendant with a period of time to rectify the issues that led to the breach. To “cure” the issue, if you will. Provided the organization both cures the violation in the allotted time and notifies the plaintiff, in writing, that no further violations will occur – the defendant can avoid litigation all together.
Coupled with the light fines, there are questions about the efficacy of the CCPA.
But don’t let that dissuade you from complying with it. There is truly no way to quantify the damage a breach or a compliance violation can have on a company’s reputation. According to the Ponemon Institute’s yearly Cost of a Data Breach Report, enterprises that suffer a breach/compliance incident see an immediate 5% drop in their stock price and over time 31% of consumers discontinue their relationship with the offending organization.
Complying with CCPA
There is no cure-all or a panacea for eliminating data breaches, however we can provide you with some high-level tips and things your organization is going to need to do to get CCPA compliant.
Conduct a data assessment
Start by conducting a full review of your organization’s data collection practices. You should be paying special attention to the scope of, and purpose behind, your data collection. That includes:
• What specific personal information you’re collecting
• How that information is being used by your organization
• Where that information is being stored
• How personal information flows through your networks
• Whether that information is being shared with any third parties
• If so, why is that information being shared with third parties
• What internal policies do you have in place governing the personal information
Review your technical safeguards
Most data protection regulations are purposely non-prescriptive when it comes to specifying the technologies needed to protect personal information. That’s owing to the fact that they need to be widely adopted by a number of stakeholders with different needs. The regulation also needs to stay relevant as long as possible, and defining specific solutions causes the regulation to become outdated as soon as the technology that was specified does.
But there are a few basic places you need to make sure are secured:
- Data in transit – This is handled using SSL/TLS, VPNs and other solutions that secure the connections between endpoints.
- Data at rest – You need to make sure that your databases and anything residing on your networks are protected, as in non-readable to an intruder.
- Network security – The best way to avoid having data compromised by an intruder is just not to allow intruders. Using the requisite network security safeguards helps prevent this.
- Email security – 91% of all attacks start with an email. This problem goes beyond technical safeguards, too. Employees are every organization’s greatest risk and training them to spot suspect emails needs to be a priority.
We’ll be back with a much more comprehensive compliance guide in the future, but this is a good start.
Update your privacy policies
Your privacy policy is just the tip of the iceberg when it comes to informing your customers of your data practices and their rights. Your privacy policy should be like your master document: fully comprehensive, covering every aspect of how data is collected and used by your organization, as well as providing customers with their options for recourse in the event something goes wrong.
But that’s not all that needs updating. You also need to work on privacy notices, just-in-time notifications and any additional communication that stems from your CCPA responsibilities. For instance, if a customer requests a copy of the data you have on them – not only do you need a way to produce that data, you also need communication around it.
Review Your Partner Contracts
Any organization your company shares data with needs to be vetted and required to sign a contract, because your partners can get you into trouble, too. This is a good place to take a page out of the GDPR playbook, specifically its Data Protection Agreements, which specify how information will flow and be processed by partners. Due diligence is critical.
What if CCPA Doesn’t Apply to Me?
Just because your organization doesn’t meet the minimum threshold for CCPA enforcement doesn’t mean that you’re off the hook. In fact, it could put you in an even more precarious position if you get lulled into a false sense of security.
First of all, much like with GDPR, CCPA requests for deletion include getting any partners you shared the data with to delete it, too. That means the CCPA flows downstream and you may still be asked to take specific actions. If you either cannot or fail to comply with your partner’s request to delete data that was shared with you – it’s not going to help the relationship much.
For that reason, it would behoove you to:
- Perform a data assessment to map your data flows and figure out what categories of data are being shared with you.
- Review the technical safeguards you have in place to ensure you’re following industry best practices.
- Update your privacy policies and create processes for complying with deletion requests from your partners.
- Review your partner contracts, or if you don’t have one in place – request one.
Complying with CCPA Just Means Following Best Practices
From a security standpoint, the measures we’ve outlined in this article are things you should already be doing. None of the technical aspects of CCPA require organizations to take otherwise unneeded measures or to reinvent the proverbial cybersecurity wheel. You should already be safeguarding the personal data your organization collects and maintains. You should already have a clear idea of how information flows through your organization. You should already have a succinct privacy policy.
These are all just standard best practices. The only difference is now there are penalties for not following them. Remember: The point of regulations like CCPA and GDPR isn’t to be a burden to enterprises – it’s to ensure strong data security. With the right partners, compliance can be simple.
Learn more about GlobalSign’s range of enterprise security solutions that make CCPA compliance easy.
