Table of Contents
The California Consumer Privacy Act (CCPA) was enacted in 2018 to combat the numerous data breaches in Big Tech from poorly defined access controls and privacy management. Modeled after the European Union (EU) General Data Protection Regulation (GDPR), the new regulations give users the right to know when and how their information is being collected and sold, as well as the ability to opt-out.
CCPA compliance is a set of regulations that organizations must follow to protect the data privacy rights of California residents. It requires organizations to be transparent about their data collection and usage practices, to respond to consumer requests, and to implement reasonable security measures to protect user data.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
Who Must Comply With CCPA?
Any organization collecting data on California residents should look into the compliance regulations around CCPA. Experts anticipate that CCPA regulations will drive future laws in other states to provide users with better control over their data.
The specific organization factors that fall under the CCPA regulations:
- Have an annual gross revenue income of at least $25 million.
- Buy, sell, or share the data of 100,000 or more California residents, households, or devices.
- Earn 50% or more of their annual revenue from selling California residents’ personal information.
Nonprofit organizations or government agencies are often exempt from certain CCPA compliance regulations. However, the CCPA broadly includes all “organizations” that collect and sell consumer “personal information” or disclose personal data for an organization’s purpose. Organizations that don’t work with California data should still track information related to CCPA to understand those regulations should a similar law pass in other states.
What Does CCPA Cover?
Because CCPA gives users more control over their data, many compliance regulations define how organizations collect and distribute private information from websites and other digital methods. Users can contact the organization and ask for information regarding their data storage and usage, and organizations must comply with specific requests.
CCPA requires organizations to comply with user requests for:
- All data collected and stored.
- Each category of sources from which data is collected (e.g., financial, contact, medical).
- The organization’s purpose for collecting and selling user data.
- A list of third parties that have access to a user’s data.
In addition, organizations must take action per these user requests:
- Ask the organization to delete their data.
- Prohibit the sale of their data.
- Request control of their data to avoid discrimination.
- Port their data.
The protection of these provisions extends beyond contact information. Data without contact information can still fall under CCPA compliance if it can be used to identify a person. For example, an address, household income, and other specific information can identify a consumer, so CCPA provisions would cover this record.
Though CCPA doesn’t cover data that cannot be used to identify a consumer, organizations must ensure that stored data is safely anonymized. Generalized data can often identify consumers even if the record contains no name.
While both CCPA and GDPR aim to protect the data privacy rights of individuals, they’re different in significant ways. Organizations that want to comply with both laws should understand their differences to avoid legal issues.
What Is CCPA Compliance Training?
CCPA compliance training is a requirement for organizations that collect and process the personal information of California residents. These organizations must provide training to all individuals responsible for handling consumer data, particularly those involved in processing data rights requests.
Whether through on-site classes, virtual training sessions, or standardized courses, training should cover all aspects of CCPA compliance, including procedures for responding to customer inquiries about exercising their privacy rights. The CCPA regulations require affected organizations to establish, document, and comply with a training policy, including the frequency by which the organization administers training. The training itself should cover:
- Educating consumers on their rights under the CCPA and CPRA, ensuring they understand how to exercise these rights without facing any discrimination from the organization.
- Guiding organizations on the proper way to offer financial incentives to consumers in return for collecting their personal information, including the specific limitations and prerequisites of this approach.
While the CCPA does not disclose a specific training frequency, they recommend annual refresher sessions to ensure up-to-date compliance and awareness of regulations.
What Are CCPA Penalties for Violating Compliance Requirements?
Although CCPA regulations were enacted in 2018, organizations had until January 2020 to ensure their systems complied. Organizations have 45 days to respond to any consumer request under CCPA rules.
After an audit, the organization may receive notices that systems are not compliant. The organization then has 30 days to remediate the issue; failure to do so could result in up to $7500 in fines for each breach. Users can seek $750 in damages for each data breach.
Compliance violations also leave organizations open to additional lawsuits. Should a critical data breach affect numerous consumers, the organization could face years of litigation and additional costs in attorney’s fees and reparations.
What Does CCPA Mean for Cybersecurity?
Because data protection is a critical component in CCPA compliance, the cybersecurity of any infrastructure that stores user information should be a priority. Poor authorization controls and security protections could result in severe penalties. Essentially, the CCPA drives organizations to implement better cybersecurity. The CCPA states that organizations must implement “reasonable security” measures, which leaves security compliance open to interpretation.
The first step in improving cybersecurity is to perform a risk assessment. Most Many organizations don’t have the wherewithal know how to carry outperform an effective risk assessment, so they and hire professionals to who will conduct perform an audit, inventory its infrastructure, and calculate a risk analysis. Once the assessment is complete, these professionals will provide guidance on building and implementing cybersecurity controls.
The CCPA also requires organizations to respond to consumer requests to exercise their privacy rights, including requests to delete personal information or opt-out of the sale of personal information. This requires organizations to implement systems and processes to identify and locate personal information and securely delete or transfer that information upon request.
The CCPA also has implications for collecting employee data, conducting background checks, and monitoring programs used by organizations. CCPA-governed organizations must announce a notice-at-collection for background checks and ensure proper safeguards for the collected background check data. The CCPA defines the categories of protected data, with the most relevant insider threat being network usage.
How to Become CCPA Compliant
CCPA compliance can be convoluted and confusing when cybersecurity is involved, but cybersecurity professionals familiar with these regulations provide relevant guidance to ensure compliance. Organizations can follow six basic steps to ensure CCPA compliance:
- Assign a team or individual to be responsible for data privacy. This role should focus on CCPA and other compliance standards and the cybersecurity surrounding data protection.
- Inventory collected data to determine what must be protected. Understanding how data is collected and flows from system to system provides a roadmap for implementing cybersecurity controls.
- Perform a risk assessment. During the risk assessment, the organization will discover the systems that store this data to create strategies that include unknown infrastructure.
- Develop and implement tools that protect data. These tools could be third-party implementations or custom codes to add access controls to data.
- Define policies and governance over data. These policies should oversee consumer data mitigation and monitoring, including vendor access and supply chain risk management.
- Maintain an audit trail of all policies and procedures used for data privacy. Through auditing and policy trails enable, you can to review your policies and identify lessons learned to improve them in the future.
- Train employees on CCPA compliance. Organizations must train employees on key aspects of the CCPA, its compliance requirements, and its corresponding procedures and system updates. This training is especially critical for employees in customer-facing roles.
How Proofpoint Can Help
Proofpoint offers several solutions to help organizations remain CCPA compliant. Proofpoint’s Intelligent Compliance and Archiving solutions make it easier for organizations to make more informed compliance decisions, manage information risk, and improve investigation readiness.
Additionally, Proofpoint’s Data Loss Protection (DLP) capabilities help organizations identify and analyze sensitive data unique to their organization. It enables the detection of data exfiltration transmissions and automates regulatory compliance. This can help organizations protect sensitive data and comply with data privacy regulations.
Proofpoint also equips organizations with Information Protection and Security solutions that help with auditing and discovering data, creating a strategy that follows CCPA and other compliance regulations, and protecting data from theft or destruction. By providing these solutions, Proofpoint helps organizations comply with data privacy regulations, protect sensitive data, and maintain the trust of their customers. To learn more, contact Proofpoint.
Subscribe to the Proofpoint Blog