What Is CCPA Compliance?

The California Consumer Privacy Act (CCPA) was enacted in 2018 to combat the numerous data breaches in Big Tech from poorly defined access controls and privacy management. Modelled after the European Union (EU) General Data Protection Regulation (GDPR), the new regulations give users the right to know when and how their information is being collected and sold, as well as the ability to opt-out.

CCPA compliance is a set of regulations that organisations must follow to protect the data privacy rights of California residents. It requires organisations to be transparent about their data collection and usage practices, to respond to consumer requests, and to implement reasonable security measures to protect user data.

Any organisation collecting data on California residents should look into the compliance regulations around CCPA. Experts anticipate that CCPA regulations will drive future laws in other states to provide users with better control over their data.

The specific organisation factors that fall under the CCPA regulations:

• Have an annual gross revenue income of at least $25 million.
• Buy, sell, or share the data of 100,000 or more California residents, households, or devices.
• Earn 50% or more of their annual revenue from selling California residents’ personal information.

Nonprofit organisations or government agencies are often exempt from certain CCPA compliance regulations. However, the CCPA broadly includes all “organisations” that collect and sell consumer “personal information” or disclose personal data for an organisation’s purpose. Organisations that don’t work with California data should still track information related to CCPA to understand those regulations should a similar law pass in other states.

Because CCPA gives users more control over their data, many compliance regulations define how organisations collect and distribute private information from websites and other digital methods. Users can contact the organisation and ask for information regarding their data storage and usage, and organisations must comply with specific requests.

CCPA requires organisations to comply with user requests for:

• All data collected and stored.
• Each category of sources from which data is collected (e.g., financial, contact, medical).
• The organisation’s purpose for collecting and selling user data.
• A list of third parties that have access to a user’s data.

In addition, organisations must take action per these user requests:

• Ask the organisation to delete their data.
• Prohibit the sale of their data.
• Request control of their data to avoid discrimination.
• Port their data.

The CCPA contains several key privacy provisions that organisations must comply with to protect the data privacy rights of California residents, including

• Right to Know: The CCPA gives consumers the right to what personal information an organisation collects about them and how it is used and shared. Organisations must provide this information to consumers upon request.
• Right to Delete: The CCPA gives consumers the right to request that organisations delete personal information collected from them (with some exceptions). Organisations must comply with these requests.
• Right to Opt-Out: The CCPA gives consumers the right to opt-out of the sale or sharing of their personal information. Organisations must provide consumers with a clear and conspicuous link on their website to opt-out of selling their personal information.
• Right to Limit Use and Disclosure of Sensitive Personal Information: The CCPA gives consumers the right to limit the use and disclosure of sensitive personal information collected about them.
• Private Right of Action: The CCPA requires organisations to protect the personal data of California consumers. Therefore, consumers can sue an entity directly if the organisation did not sufficiently protect their personal information through security means, such as encryption or redaction.
• Privacy Policy Disclosures: The CCPA requires organisations to provide consumers with a written statement outlining its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. The CCPA requires organisations’ privacy policies to include specific, detailed information.

The protection of these provisions extends beyond contact information. Data without contact information can still fall under CCPA compliance if it can be used to identify a person. For example, an address, household income, and other specific information can identify a consumer, so CCPA provisions would cover this record.

Though CCPA doesn’t cover data that cannot be used to identify a consumer, organisations must ensure that stored data is safely anonymised. Generalised data can often identify consumers even if the record contains no name.

CCPA and GDPR are two data privacy laws that aim to protect the data privacy rights of individuals. Although they share some similarities, there are fundamental differences between them regarding applicability, scope, sensitive personal data, consent, and enforcement.

• Applicability: The GDPR applies to any organisation that processes the personal data of EU residents, while the CCPA applies to organisations that generate over $25 million in annual revenue or have more than 50,000 Californian users.
• Scope: The CCPA’s scope extends to personal data relating to a household or device, whereas the GDPR does not apply to personal data used for personal or household activities.
• Sensitive Personal Data: The GDPR created a special category of data called “sensitive personal data”, which prohibits processing unless one of the specific requirements is met. CCPA, on the other hand, does not define sensitive personal data.
• Consent: The GDPR requires that users give clear and affirmative consent before having their personal data processed, while the CCPA allows users to opt-out of data collection.
• Enforcement: Supervisory authorities in each EU member state enforce the GDPR, while the California Attorney General’s office enforces the CCPA.

While both CCPA and GDPR aim to protect the data privacy rights of individuals, they’re different in significant ways. Organisations that want to comply with both laws should understand their differences to avoid legal issues.

CCPA compliance training is a requirement for organisations that collect and process the personal information of California residents. These organisations must provide training to all individuals responsible for handling consumer data, particularly those involved in processing data rights requests.

Whether through on-site classes, virtual training sessions, or standardised courses, training should cover all aspects of CCPA compliance, including procedures for responding to customer inquiries about exercising their privacy rights. The CCPA regulations require affected organisations to establish, document, and comply with a training policy, including the frequency by which the organisation administers training. The training itself should cover:

• Educating consumers on their rights under the CCPA and CPRA, ensuring they understand how to exercise these rights without facing any discrimination from the organisation.
• Guiding organisations on the proper way to offer financial incentives to consumers in return for collecting their personal information, including the specific limitations and prerequisites of this approach.

While the CCPA does not disclose a specific training frequency, they recommend annual refresher sessions to ensure up-to-date compliance and awareness of regulations.

Although CCPA regulations were enacted in 2018, organisations had until January 2020 to ensure their systems complied. Organisations have 45 days to respond to any consumer request under CCPA rules.

After an audit, the organisation may receive notices that systems are not compliant. The organisation then has 30 days to remediate the issue; failure to do so could result in up to $7500 in fines for each breach. Users can seek $750 in damages for each data breach.

Compliance violations also leave organisations open to additional lawsuits. Should a critical data breach affect numerous consumers, the organisation could face years of litigation and additional costs in attorney’s fees and reparations.

Because data protection is a critical component in CCPA compliance, the cybersecurity of any infrastructure that stores user information should be a priority. Poor authorisation controls and security protections could result in severe penalties. Essentially, the CCPA drives organisations to implement better cybersecurity. The CCPA states that organisations must implement “reasonable security” measures, which leaves security compliance open to interpretation.

The first step in improving cybersecurity is to perform a risk assessment. Many organisations don’t have the know-how to perform an effective risk assessment, so they hire professionals to conduct an audit, inventory its infrastructure, and calculate a risk analysis. Once the assessment is complete, these professionals will provide guidance on building and implementing cybersecurity controls.

The CCPA also requires organisations to respond to consumer requests to exercise their privacy rights, including requests to delete personal information or opt-out of the sale of personal information. This requires organisations to implement systems and processes to identify and locate personal information and securely delete or transfer that information upon request.

The CCPA also has implications for collecting employee data, conducting background checks, and monitoring programmes used by organisations. CCPA-governed organisations must announce a notice-at-collection for background checks and ensure proper safeguards for the collected background check data. The CCPA defines the categories of protected data, with the most relevant insider threat being network usage.

CCPA compliance can be convoluted and confusing when cybersecurity is involved, but cybersecurity professionals familiar with these regulations provide relevant guidance to ensure and manage compliance. Organisations can follow six basic steps to ensure CCPA compliance:

1. Assign a team or individual to be responsible for data privacy. This role should focus on CCPA and other compliance standards and the cybersecurity surrounding data protection.
2. Inventory collected data to determine what must be protected. Understanding how data is collected and flows from system to system provides a roadmap for implementing cybersecurity controls.
3. Perform a risk assessment. During the risk assessment, the organisation will discover the systems that store this data to create strategies that include unknown infrastructure.
4. Develop and implement tools that protect data. These tools could be third-party implementations or custom codes to add access controls to data.
5. Define policies and governance over data. These policies should oversee consumer data mitigation and monitoring, including vendor access and supply chain risk management.
6. Maintain an audit trail of all policies and procedures used for data privacy. Auditing and policy trails enable you to review your policies and identify lessons learned to improve them in the future.
7. Train employees on CCPA compliance. Organisations must train employees on key aspects of the CCPA, its compliance requirements, and its corresponding procedures and system updates. This training is especially critical for employees in customer-facing roles.

Proofpoint offers several solutions to help organisations remain CCPA compliant. Proofpoint’s Intelligent Compliance and Archiving solutions make it easier for organisations to make more informed compliance decisions, manage information risk, and improve investigation readiness.

Additionally, Proofpoint’s Data Loss Protection (DLP) capabilities help organisations identify and analyse sensitive data unique to their organisation. It enables the detection of data exfiltration transmissions and automates regulatory compliance. This can help organisations protect sensitive data and comply with data privacy regulations.

Proofpoint also equips organisations with Information Protection and Security solutions that help with auditing and discovering data, creating a strategy that follows CCPA and other compliance regulations, and protecting data from theft or destruction. By providing these solutions, Proofpoint helps organisations comply with data privacy regulations, protect sensitive data, and maintain the trust of their customers. To learn more, contact Proofpoint.