Personal information (PI) enables businesses to customize the customer experience and boost sales. However, consumer rights advocacy and privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and state data privacy laws enacted in the United States, limit the collection of PI. Preeminent among these laws is the California Consumer Privacy Act of 2018 (CCPA).
In fact, you may have noticed that the terms of service for most digital services now stipulate special considerations for California residents. This is because of rules set forth by the CCPA. Violating this act is a serious offense, as demonstrated by this recent case: Zoom is facing a class action lawsuit for allegedly failing to protect users’ personal information by illegally sharing it with Facebook, and could be slapped with fines of more than $40,000 per incident.
To protect your organization, you need to understand what the CCPA is, its key provisions and what steps you can take to ensure CCPA compliance.
What is the California Consumer Privacy Act?
The core purpose of the CCPA is to protect consumers from companies selling their private information. The intention is to hold those companies accountable for any business transactions involving personal data.
CCPA Terms and Definitions
What is CCPA compliance? Answering this question requires defining a few key terms:
- Personal information — This includes any piece of information, such as a real name, alias or phone number, that might be used to develop a profile about someone’s characteristics or preferences. See the next section of this document for more details.
- Collection — This is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”
- Selling — The law defines this as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating by any means” a consumer’s personal information to any party in exchange for any kind of compensation. The CCPA provides specific exceptions that apply to this definition. One is referral or contracting, which occurs when a consumer intentionally directs a business to interact with a third party using a personal identifier. Another is when businesses do not collect, sell or otherwise use personal info beyond what is necessary “to perform the business purpose.”
Business purpose— Businesses looking to collect and use personal data as stipulated above must meet one of the following business purposes, as detailed in subdivision (d) of California Civil Code 140:
- Auditing a current interaction for marketing and advertising
- Managing security and legal threats
- Debugging errors that impair functionality
- Collecting data for short-term use provided that the data is not shared with a third party or used to build a profile
- Servicing accounts or transactions
- Performing internal research for technological development and demonstration
- Attempting to verify, maintain or improve the quality or safety of the business’s devices or services
- Consumer — This is defined as “a natural person who is a California resident.” According to the CCPA, a “California resident” is someone who is in the state for anything other than a temporary or transitory purpose or someone who is temporarily out of state, away from their permanent home in California.
Business — This is a for-profit entity that does business in the state of California and meets one or more of the following thresholds:
- Has annual gross revenues in excess of $25,000,000
- Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Data breach — This is defined as a situation in which an unauthorized third party gains access to sensitive information that may harm consumers. According to an analysis of the CCPA by the National Law Review, there are three requirements that must be met in order for a consumer to seek action as a result of the breach:
- The data must be personal information as defined by the CCPA.
- The personal information must be unencrypted and unredacted.
- The breach must have been the result of a business’s failure to implement and maintain reasonable security procedures and practices.
More Details on Personal Information
What data categories are protected?
Subdivision (v) (1) of Section 1798.140 of the California Civil Code lists several examples of protected data types under the CCPA. Many of these are self-explanatory, such as “real name” or “email address.” However, a few are less commonplace and require some additional explanation.
- Unique personal identifiers/online identifiers — Although “unique personal identifier” is listed as a subtype of personal information, it is defined separately as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.” Notable examples include customer numbers, IP addresses, unique pseudonyms and online user aliases in the case of an online identifier.
- Biometric information — Sleep, health and exercise data, such as that collected by smartphones or wearable devices, falls into the protected category of biometric information. This protection also extends to data that might be collected offline, such as psychological or behavioral traits, DNA, or voice recordings.
- Geolocation data — While not defined explicitly, “geolocation data” generally includes any precise location information obtained from GPS devices or similar means. In other words, a check-in on a restaurant’s website or social media page cannot be sold in a way that can be traced back to a particular consumer.
What data categories are not protected?
The CCPA is meant to prevent the sale of personal information that can be used to identify an individual. There are certain instances, however, where it does not apply:
- Publicly available information — Any information that is available via government records is not considered “personal information” and is therefore not protected.
- Personal health information — Medical information covered under the Confidentiality of Medical Information Act and information collected by the U.S. Department of Health and Human Services per the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is regulated separately.
- Data used to generate a consumer report — Activity used to determine credit worthiness is governed separately by the Fair Credit Reporting Act.
- Financial information — Any information sold with proper notification as defined by the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act is not covered under the CCPA.
- Information collected by the DMV — Any information collected by a state Department of Motor Vehicles or its employees, officers or contractors is separately covered by the Driver’s Privacy Protection Act.
Key Privacy Provisions and Consumer Rights in the CCPA
The CCPA includes the following provisions designed to protect consumers’ rights:
- Right to know — Consumers have the right to request details about the nature of data that has been collected, used, shared and sold, as well as the reasons behind those actions.
- Right of access and portability — Businesses must deliver the information covered by the “right to know” free of charge to consumers within 45 days of a verifiable request. The disclosure should cover information collected in the 12-month period prior to the request.
- Right to opt out — Consumers may, at any time, request that their personal information not be sold by a business that otherwise lawfully sells personal information to third parti
- Right to delete (right to be forgotten) — Consumers may ask a business to delete all of their personal information that they have collected about them across any span of time.
- Right to nondiscrimination — Businesses may not retaliate in any way against consumers who exercise their rights under the CCPA. Examples of retaliation or discrimination include denial of service, differing prices or rates, or differing quality of goods and services.
- Private right of action — In the event of a breach of the CCPA, consumers have the right to file lawsuits in an attempt to recover damages.
- Restrictions on collecting data of minors — Businesses are prohibited from selling minor consumers’ information unless specifically given consent to do so.
CCPA Sanctions and Remedies
Consumers must send 30 days’ notice of intent to seek legal action in the event of an alleged incident. If a company does not remedy the allegation, it may face fines of $100 to $750 per consumer per incident along with any other disciplinary measures deemed necessary by the court.
Consumers are not responsible for demonstrating actual damages — only that their personal information was involved in a breach as defined above.
Amendments to the CCPA
The California Privacy Rights Act (CPRA), signed into law in 2020, is a set of amendments to the CCPA. This new bill, which will become enforceable on July 1, 2023, brings with it a number of changes, including:
- New terms — There are several new terms, including “sharing” and “sensitive personal information,” that change the future treatment of personal data.
- New rights — Consumers have new privacy rights including the right to opt out of sharing and the right to correct inaccurate information.
- New responsibilities — The amendments to the California privacy law impose several new requirements on businesses, including the need to establish reasonable security measures to protect personal information and new requirements around information sharing.
CCPA Compliance Tips
Being CCPA compliant is important to help your organization reduce business risks and avoid penalties. Here are some tips to help you align your practices with CCPA requirements.
Inventory your data.
For CCPA compliance, you need to track data processing activities, which requires you to locate personal data across your file servers, databases and cloud storages. Make sure you classify your data according to applicable regulations and other categories useful to your business. That way, you can choose and implement the right security strategies for different types of data.
Establish processes for handing data subject access requests (DSARs).
It’s critical to establish effective and efficient procedures to support customers who are exercising their rights under the CCPA. These DSARs are time-sensitive — businesses must disclose what personal information is collected, how it is processed, for what purposes and with whom it is shared within 45 days of receipt of a verifiable request. Classifying your data is critical to ensuring you can quickly and easily compile data for each consumer request.
Review and record how protected data is used.
Consumers have a right to know how their data is being used, so it’s in your best interest to have answers ready for them. You need to identify where personal data is used, including business processes, software devices. In addition, you need information on which data types are used for marketing purposes, and which of them are sold or shared with third parties.
Review your record-keeping practices.
To comply with the CCPA, it’s crucial to establish processes to dispose the data in response to “right to be forgotten” requests. The CCPA’s deletion right applies only to data collected from the consumer (i.e. not to data about the consumer collected from third party sources). The biggest challenge here is to delete data that has been shared with different internal teams and systems, or disclosed to third parties like vendors or partners. With any of these parties, you need to track back to the sources storing data and request the deletion.
Make it easy for consumers to exercise their rights.
It must be easy for consumers to exercise their rights under the CCPA. You should provide at least two methods for submitting requests, including a toll-free number and a form on your website. In addition, you should offer a simple way for consumers to opt out of having their personal information sold or shared except where it’s necessary, such as an easy-to-find link titled “Do Not Sell My Personal Information.”
Require privacy training for all employees.
Members of your organization need to understand their role in ensuring that your organization is compliant. This means providing training for both new employees and seasoned staff.
Monitor for changes in laws.
The CPRA has already brought amendments to the CCPA, and the requirements are likely to continue to change in the future. Keep an eye out for these changes to ensure that you remain in compliance.
How Does Netwrix Help with the CCPA?
The CCPA requires you to ensure that all personal information you collect and store is kept secure. With the Netwrix Data Security Platform, you can implement a data-centric approach to security that achieves this goal. You can automate change, access and configuration auditing, as well as ensure accurate discovery and classification of sensitive data. Plus, you can get actionable insights for improving data and infrastructure security, such as overexposed data and misconfigurations. Moreover, you can quickly respond to data subject access requests, saving enormous amounts of time and money.
1. What is the CCPA?
The CCPA is a California state law that establishes protections for consumers’ personal information.
2. What data does the CCPA cover?
The CCPA covers all private personal consumer information that is not available from local, state or federal sources.
3. Which companies does the CCPA affect?
The CCPA applies to every for-profit business operating in California that satisfies certain conditions, such as a revenue threshold. This includes businesses that are not based in California but that operate there.
4. Do any other states have privacy laws to protect personal information?
Both Virginia and Nevada have adopted a privacy laws, and many other states are considering similar legislation. For up-to-date information, check this state privacy law comparison table offered by the International Association of Privacy Professionals (IAPP).