On Jan. 1, the California Consumer Privacy Act (CCPA) went into effect.
The new law—the “first consumer privacy act in the country,” as one California legislator put it—requires U.S. companies to implement privacy initiatives like those of the European Union’s General Data Protection Regulation (GDPR), affording California residents unparalleled data privacy rights.
With the CCPA in place, brands are looking for guidance on what it takes to be compliant. Andy Green of Varonis.com summarized the critical components of the legislation, including which consumers and businesses it covers, important dates, risks, fees, and how to accelerate and simplify a brand’s journey to becoming CCPA-ready now—and compliant into the future.
What Is It?
The CCPA is a law designed to protect the data privacy rights of citizens living in California. In short, the law forces companies to provide more information to consumers about what’s being done with their data and gives them more control over the sharing of their data. The real issue that the law addresses is that most consumers don’t realize that their personal information is being shared or sold to others. This act ensures that they are given the chance to opt-out of having their information used in a way that they disapprove of.
No other U.S. state has provided its citizens with GDPR-like protections, which include a transparency right that requires companies to inform consumers about the data collected and shared, and gives them a right to access, to delete and to opt-out.
When Does the Legislation Go into Effect?
The CCPA has been a long time coming. The legislation was originally approved by Governor Brown in June of 2018. Several amendments were kicked around by the legislators. The law was finalized last fall but with a few minor tweaks. Employers can breathe a sigh of relief with a last-minute change to the bill excluding employees from the CCPA—i.e., consent rules and right to delete won’t apply to workers.
Who Does the CCPA Affect?
The CCPA covers any “business”—for-profit legal entity—that collects and sells consumer “personal information.” There are a few exemptions. The legislators set a minimal bar in terms of revenue and the number of consumer records being processed for the CCPA to kick in. A company has to meet one of the following for the CCPA to apply:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data.
The California lawmakers wanted to exempt certain health and financial companies that are already under federal data security laws. So the CCPA doesn’t apply to:
- Health providers and insurers already under HIPAA
- Banks and financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act
Important CCPA Definitions to Understand
Like the EU’s GDPR, the CCPA gives consumers important new rights: a right to knowing (or “transparency”) about how the data is being used, a right to access and a right to opt-out of having their data sold (opt-in for minors) to third parties.
In short, businesses have to inform consumers about categories of information that will be collected and the purpose for which it’s being collected—at or before the point the information is taken. Consumers can, of course, refuse consent.
But if the consumer agrees to the data collection, they have additional rights. They can make an access request for their personal information to find out in more detail about the specific pieces of information held by the business and the third parties that received their information. They also have a right to delete their information (with some exceptions).
One more point that is very important: if consumers exercise any of their rights, they can’t be discriminated against by being denied goods or services.
CCPA and Personal Information
The CCPA applies to personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In the world of data compliance laws, this’s about a broad as personally identifiable information (PII) gets. The words “relates” or “reasonably linked” open up a very large class of non-traditional identifiers—beyond name, address, social security number.
Just to make sure that companies have grokked what is going on, the legislators listed a few specific examples, including:
- Email address
- Online handles
- IP address
- Biometric information
- Geolocation data
- Browsing and search history
How is the California Consumer Privacy Act Enforced?
The California Attorney General will enforce the CCPA. But there’s an interesting twist to enforcement. The CCPA provides for a “private right of action” in instances where there’s theft or disclosure of non-encrypted or non-redacted personal information.
Real-World CCPA Penalties
In plain English, this means that consumers and their private attorneys can bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater. Keep in mind that with statutory damages, consumers don’t have to prove that they incurred that actual financial loss, but only have to show the company violated that law! Yes, the CCPA is a big deal for data privacy attorneys, and companies should be wary of the potential for class-action suits.
With that in mind, preparation for CCPA is not all that different from for preparing for the EU’s GDPR—though the GDPR certainly has stricter security requirements on the books. In fact, our GDPR whitepaper has a good overall plan for tackling the CCPA’s security and privacy requirements. If we had to summarize what you need to do in a few short sentences, it’s this:
- Identify and classify your data assets: find out where the CCPA personal information is located and whether the data is at risk by checking access permissions.
- Dig deeper into the CCPA personal data to identify those folders that are rarely accessed. Stale personal data serves little purpose and is an unnecessary security risk!
- After analyzing the personal data and their permissions, put in place the right permissions. A very effective security measure is to limit data access to those who need it as part of their job or Role-based Access Controls.
- Archive or delete stale personal data.
- Implement a program to monitor personal data against outside threats and unauthorized access.
- Maintain the security and privacy of the personal data by continually reviewing the data and its permissions.
- Be on the lookout for new cyber threats and adjust privacy and security as needed.
- Return to step 1! You’re never really done with CCPA or any other kind of compliance standard—you’re always in some phase.
The CCPA also has requirements for consumer access and the deletion of their data. However, if you’ve done the work of classifying personal data, this step should not necessarily be a burden, particularly if you have the right technology.
The Future of Data Privacy and Security: CCPA’s Legacy
The CCPA is already making waves. With Washington still not providing leadership at the federal level, it’s not surprising that other states have taken a cue from California and drafted their own privacy laws. There are already several CCPA copycat laws from New York, Massachusetts, Maryland, North Dakota and other states. And if you look at a recent proposal from US executives for a federal privacy law, it bears more than a passing resemblance to the CCPA.
Change is coming, whether from your own state or eventually at the federal level. Companies should play it smart by aligning their data security and privacy practices with the CCPA. Specifically, they should have programs and technologies to classify personal data, protect it and then constantly monitor and analyze for threats.