The California Consumer Privacy Act (CCPA) was enacted in 2018 to combat the numerous incidents of data breaches in Big Tech from poorly defined access controls and management of privacy. Molded after the European Union (EU) General Data Protection Regulation (GDPR), the new regulations give users more control of data. Companies that collect data on California residents must provide information on how data is collected and provide users the ability to request, delete, or protect their personal data.
Who Must Comply with CCPA?
Any company that collects data on California residents should look into the compliance regulations around CCPA. Experts theorize that CCPA regulations will drive future laws in other states to provide users with better control over their data. Businesses that don’t work with California data should still track information related to CCPA to understand regulations should a similar law pass in other states.
Other business factors that fall under the CCPA regulations:
- Have an annual gross revenue income of at least $25 million.
- Collect data for commercial reasons on at least 50,000 consumers.
- At least 50% of annual revenue is from selling services or products.
What Does CCPA Cover?
Because CCPA gives users more control over their data, many of the regulations defined by compliance regulations cover the ways businesses collect and distribute private information collected from websites and other digital methods. Users can contact the company and ask for information regarding their data storage and usage, and companies must comply with certain requests.
CCPA requires companies to comply with user requests for:
- All data collected and stored.
- Each category of sources where data is collected (e.g., financial, contact, medical).
- The business purpose for collecting and selling user data.
- A list of third parties that have access to a user’s data.
In addition, companies must take action per these user requests:
- Ask for their data to be deleted.
- Prohibit the sale of their data.
- Stay safe from discrimination for requesting control of their data.
- Port their data.
What are Key Privacy Provisions in CCPA?
CCPA is often compared to the EU GDPR, but CCPA has a much broader definition of compliance: protected data includes any personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or house.”
The provisions protect more than just contact information. Data without contact information can still fall under CCPA compliance if it can be used to identify a person. For example, an address, household income, and other specific information can identify a consumer so that CCPA provisions would cover this record.
Though CCPA doesn't cover data that can't be used to identify a consumer, businesses must ensure that stored data is safely anonymized. Generalized data can often be used to identify consumers even if the record doesn't contain a name.
What Are Penalties for Violating CCPA?
Although CCPA regulations were put into effect in 2018, businesses had until January 2020 to ensure that their systems complied. Businesses have 45 days to respond to any consumer request under CCPA rules.
After an audit, the business may receive notices that systems are not compliant. The business then has 30 days to remediate the issue; failure to do so could result in up to $7500 in fines for each issue. Users can seek $750 in damages for each data breach.
Compliance violations also leave businesses open to additional lawsuits. Should a critical data breach affect numerous consumers, the business could face years of litigation and additional costs on attorney’s fees and reparations.
What Does CCPA Mean for Cybersecurity?
Because data protection is a critical component in CCPA compliance, the cybersecurity of any infrastructure that stores user information should be a priority. Poor authorization controls and security protections could result in severe penalties, so CCPA drives the implementation of better cybersecurity. The wording in CCPA is that organizations must implement “reasonable security” measures, which leaves compliance up to interpretation.
The first step in improving cybersecurity is to perform a risk assessment. Most organizations don't know how to carry out an effective risk assessment and hire professionals who will perform an audit, inventory infrastructure, and calculate a risk analysis. Once the assessment is complete, these professionals will provide guidance on building and implementing cybersecurity controls.
How to Become CCPA Compliant
CCPA compliance can be convoluted and confusing when cybersecurity is involved, but professionals familiar with the process can provide the proper guidance to ensure that every step is taken properly. Businesses can follow six basic steps to ensure CCPA compliance:
- Assign a team or individual to be responsible for data privacy. This role should focus on CCPA and other compliance standards and the cybersecurity surrounding data protection.
- Inventory data to determine what’s collected and must be protected. Understanding how data is collected and flows from system to system provides a roadmap for implementing cybersecurity controls.
- Perform a risk assessment. During the risk assessment, the organization will discover data and systems that store this data to create strategies that include unknown infrastructure.
- Develop and implement tools that protect data. These tools could be third-party implementations or custom codes to add access controls to data.
- Define policies and governance over data. These policies should oversee mitigation and monitoring of consumer data, including vendor access and supply chain risk management.
- Maintain an audit trail of all policies and procedures used for data privacy. Through auditing and policy trails, you can review your policies and identify lessons learned to improve them in the future.