The collection and processing Personal information (PI) enables businesses to customize the customer experience and boost sales. However, certain consumer rights advocacies and privacy regulations strictly limit the collection of PI to ensure that organizations utilize their data in a meaningful and just manner. The most famous is the EU’s General Data Protection Regulation (GDPR), but more and more states in the United States are enacting data privacy laws of their own.
Preeminent among these laws are the California Consumer Privacy Act of 2018 (CCPA) and its subsequent extension, The California Privacy Rights Act (CPRA), which we will discuss further in this article.
Indeed, you may have noticed that the terms of service for most digital services now stipulate special considerations for California residents. This is because of rules set forth by the CCPA that apply to organizations operating in the state of California.
Many organizations already have policies in place to comply with the GDPR. However, the CCPA has some provisions that require additional measures. To protect your organization, you should understand what the CCPA is, its key provisions and the steps you can take to ensure CCPA compliance. This article will discuss how to become CCPA compliant, why it matters and how to maintain a balance between privacy and business efficiency. .
What Is the California Consumer Privacy Act?
The California Consumer Privacy Act is a California state statute that took effect on January 1, 2020. The core purpose of the CCPA is to protect consumers from companies selling their private information without any official notice or opt-in and -out opportunities. The intention is to hold those companies accountable for any business transactions involving personal data.
CCPA Terms and Definitions
What is CCPA compliance? Answering this question requires defining a few key terms:
- Business — A for-profit entity that does business in the state of California and meets the criteria to be covered by the CCPA (provided below).
- Business purpose — Businesses looking to collect and use personal data must meet one of the following business purposes, as detailed in subdivision (d) of California Civil Code 140:
- Auditing a current interaction for marketing and advertising
- Managing security and legal threats
- Debugging errors that impair functionality
- Collecting data for short-term use that is not shared with a third party or used to build a profile
- Servicing accounts or transactions
- Performing internal research for technological development and demonstration
- Attempting to verify, maintain or improve the quality or safety of the business’s devices or services
- California resident — Someone who is in the state for anything other than a temporary or transitory purpose, or someone who is temporarily out of state but whose permanent home is in California.
- Collection — Defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”
- Consumer — Aa natural person who is a California resident.
- Data breach — A situation in which an unauthorized party gains access to sensitive information that may harm consumers. According to an analysis of the CCPA by the National Law Review, there are three requirements that must be met for a consumer to seek action as a result of the breach:
- The data must be personal information as defined by the CCPA.
- The personal information must be unencrypted and unredacted.
- The breach must have been the result of a business’s failure to implement and maintain reasonable security procedures and practices.
- Personal information — Including any piece of information, such as a real name, alias or phone number, that might be used to develop a profile about someone’s characteristics or preferences.
- Selling — The law defines this as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating by any means” a consumer’s personal information to any party in exchange for any kind of compensation. The CCPA provides specific exceptions that apply to this definition. One is referral or contracting, which occurs when a consumer intentionally directs a business to interact with a third party using a personal identifier. Another is when businesses do not collect, sell or otherwise use personal info beyond what is necessary “to perform the business purpose.”
Which Organizations Must Comply with the CCPA?
The CCPA is not limited to businesses based in California. Rather, it applies to any for-profit business that collects personal information from CA residents and meets at least one of the following criteria:
- Has an annual revenue of at least $25 million
- Holds personal information from at least 50,000 individuals or households
- Generates more than half the annual revenue by selling California residents’ personal information
Exemptions include the following:
- Financial institutions subject to Gramm-Leach-Bliley (GLB) or CalFIPA regulations
- Credit reporting agencies subject to the Fair Credit Reporting Act
- Health providers subject to CMIA and HIPAA
- Certain business-to-business (B2B) relationships
Accordingly, if your organization has collected any personal information from a California resident (for example, through website cookies), then you may need to comply with the CCPA.
What Information Is Regulated by the CCPA?
Subdivision (v) (1) of Section 1798.140 of the California Civil Code lists several categories of protected data types under the CCPA. Many of these are self-explanatory, such as “real name” or “email address.” However, a few require some additional explanation:
- Unique personal identifiers/online identifiers — Although “unique personal identifier” is listed as a subtype of personal information, it is defined separately as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.” Notable examples include customer numbers, IP addresses, unique pseudonyms, and online user aliases.
- Biometric information — Sleep, health, and exercise data, such as that collected by smartphones or wearable devices, fall into the protected category of biometric information. This protection also extends to data that might be collected offline, such as psychological or behavioral traits, DNA, or voice recordings.
- Geolocation data — While not defined explicitly in the CCPA, geolocation data generally includes any precise location information obtained from GPS devices or similar means. In other words, check-in on a restaurant’s website or social media page cannot be sold in a way that can be traced back to a particular consumer.
Exceptions
The CCPA is meant to prevent the sale of personal information that can be used to identify an individual. However, there are certain instances where the law does not apply, including the following:
- Publicly available information — Any information that is available via government records is not considered “personal information” and is therefore not protected.
- Personal health information — Medical information covered under the Confidentiality of Medical Information Act and information collected by the U.S. Department of Health and Human Services per the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are regulated separately. Clinical trial information subject to the Federal Policy for the Protection of Human Subjects is also not covered by the CCPA.
- Data used to generate a consumer report — Activity used to determine creditworthiness is governed separately by the Fair Credit Reporting Act.
- Financial information — Any information sold with proper notification as defined by the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act is not covered under the CCPA.
- Information collected by the DMV — Any information collected by a state Department of Motor Vehicles or its employees, officers, or contractors is separately covered by the Driver’s Privacy Protection Act (DPPA).
- Other information — Other exceptions include certain employee information used within the scope of the employer-employee relationship, and certain vehicle warranty and recall information.
Key Privacy Provisions and Consumer Rights in the CCPA
The CCPA includes the following provisions designed to protect consumers’ rights:
- General disclosure — Businesses are required to publish a privacy policy describing consumers’ rights and the categories of personal information they have collected and disclosed in the last 12 months.
- Right to know — Consumers have the right to request details about the nature of data that has been collected, used, shared and sold, as well as the reasons for those actions.
- Right of access and portability — Businesses must deliver the information covered by the “right to know” free of charge to consumers within 45 days of a verifiable request. The disclosure should cover information collected in the 12-month period before the request.
- Right to opt out — Consumers may, at any time, request that their personal information not be sold by a business that otherwise lawfully sells personal information to third parties.
- Right to delete (right to be forgotten) — Consumers may ask a business to delete all personal information collected about them across any span of time.
- Right to nondiscrimination — Businesses may not retaliate against consumers who exercise their rights under the CCPA. Examples of retaliation or discrimination include denial of service, differing prices or rates, and differing quality of goods and services.
- Private right of action — In the event of a breach of the CCPA, consumers have the right to file lawsuits in an attempt to recover damages.
- Restrictions on collecting data of minors — Businesses are prohibited from selling the information of minor consumers unless specifically given consent. Minors who are 13–16 years old must opt in before businesses may sell their personal data. If the consumer is younger than 13, the business must obtain consent from a parent or guardian.
CCPA Sanctions and Remedies
Consumers must send 30 days’ notice of intent to seek legal action in the event of an alleged incident. If a company does not remedy the allegation, it may face fines of up to $2,500 for each violation. The court may also impose additional disciplinary measures.
Consumers are not responsible for demonstrating actual damages — only that their personal information was involved in a data breach as defined above.
Amendments to the CCPA
The California Privacy Rights Act (CPRA), signed into law in 2020, is a set of amendments to the CCPA. This bill, which becomes enforceable on July 1, 2023, brings with it several changes, including:
- New terms — There are several new terms, including “sharing” and “sensitive personal information,” that change the future treatment of personal data.
- New rights — Consumers have additional privacy rights, including the right to opt out of sharing and the right to correct inaccurate information.
- New responsibilities — The amendments to the California privacy law impose several new requirements on businesses, including the need to establish reasonable security measures to protect personal information and new requirements around information sharing.
CCPA Compliance Tips
Being CCPA compliant helps your organization reduce risk and avoid penalties. Here are some tips to help you align your data collection and management practices with CCPA compliance requirements.
Inventory your data.
For CCPA compliance, you need to track data processing activities, which requires you to locate personal information across your file servers, databases and cloud storage. Make sure you classify your data so you know which data is subject to the CCPA, as well as how it fits into other categories useful to your business. That way, you can choose and implement the right security strategies for different types of data.
Establish processes for handing data subject access requests (DSARs).
It’s critical to establish effective and efficient procedures to support customers who are exercising their rights under the CCPA. DSARs are time-sensitive — businesses must disclose what personal information is collected, how it is processed, for what purposes and with whom it is shared within 45 days of receipt of a verifiable request. Classifying your data and having workflows that can be performed by non-IT personnel will help you respond to each consumer request in a timely manner.
Review and record how protected data is used.
Consumers have a right to know how their data is being used, so it’s in your best interest to have answers ready for them. You need to identify where personal data is used, including business processes, software, and devices. In addition, you need information on which data types are used for marketing purposes and which of them are sold or shared with third parties. Furthermore, it’s important to safeguard data when it is most at risk – being in transit or at rest. Specifically, while not in use, data should be encrypted and pseudonymized for protection.
Review your record-keeping practices.
To comply with the CCPA, you must be able to dispose of appropriate data in response to “right to be forgotten” (“right to erasure”) requests. The CCPA’s deletion right applies only to data collected from the consumer (and not to data about the consumer collected from third-party sources). The biggest challenge here is to delete data that has been shared with different internal teams and systems or disclosed to third parties such as vendors or partners. With any of these parties, you need to track back to the sources storing data and request the deletion.
Make it easy for consumers to exercise their rights.
It must be easy for consumers to exercise their rights under the CCPA. You should provide at least two methods for submitting requests, including a toll-free number and a form on your website. In addition, consumers who want to opt out of having their personal information sold or shared except where necessary should have a simple way to do so, such as an easy-to-find link on your website titled “Do Not Sell My Personal Information.”
Review and update your privacy policy.
The CCPA requires that a privacy policy be accessible via your website. It must explain your online and offline practices for the collection, use, sharing and sale of consumers’ personal information. It must also include information on consumers’ privacy rights and how they can exercise them.
Mandate privacy training for all employees.
Members of your organization need to understand their role in keeping your organization compliant with CCPA requirements. This means providing training for both new employees and seasoned staff.
Monitor for changes in laws.
The CPRA has already brought amendments to the CCPA, and the requirements are likely to continue to change in the future. Keep an eye out for these changes so you remain in compliance.
How Does Netwrix Help with the CCPA?
Netwrix compliance solutions offer a complete, multi-layered approach that enables you to comply with the CCPA, quickly and accurately respond to DSARs, and be ready to comply with updated requirements.
The CCPA requires you to ensure that all personal information you collect and store is kept secure. With the Netwrix compliance solutions, you can implement a data-centric approach to security that achieves this goal. You can automate change, access and configuration auditing, as well as ensure accurate discovery and classification of sensitive data. Plus, you can get actionable insights for improving data and infrastructure security, such as overexposed data and misconfigurations. Moreover, you can quickly respond to data subject access requests by automating the data collection process — a crucial and resource-intensive step.
FAQ
1. What is the CCPA?
The CCPA is a California state law that establishes protections for consumers’ personal information.
2. What data does the CCPA cover?
The CCPA covers all private personal consumer information that is not available from local, state or federal sources.
3. Which companies does the CCPA affect?
The CCPA applies to every for-profit business operating in California that satisfies certain conditions, such as a revenue threshold. This includes companies that are not based in California but that do business there.
