What is CCPA Compliance? Does CCPA apply to my business?
CCPA stands for California Consumer Privacy Act. The CCPA was enacted to protect the information of California residents. Like other privacy laws, CCPA includes some basic tenets of data protection as well as provisions to notify data subjects about the uses of their data, like who is going to see their data and when. Specifically, the CCPA gives California residents rights concerning personal data and outlines the related responsibilities of certain businesses in California.
The laws within the CCPA may each have significant impact on those businesses located in or outside of California that collect or process the personal data of California residents. The CCPA applies to any for-profit entity doing business in California–or with California residents’ data–that either has a gross revenue greater than $25 million, or that collects/processes the personal data of more than 50,000 consumers for commercial uses.
When is CCPA enforceable?
The CCPA becomes enforceable on January 1, 2020. Back in June of 2018, California passed the California Consumer Privacy Act of 2018 (CCPA), making it the first U.S. state with a comprehensive consumer privacy law.
History of the CCPA law
In 2018, as the EU’s General Data Protection Regulation (GDPR) was going into effect, private California resident Alastair Mactaggert was spending millions of dollars gathering signatures to qualify a data protection measure called the California Consumer Privacy Act.
Mactaggert’s goal was to give consumers privacy protection rights, such as the right to know what information is being collected by Facebook and Google, the right to say no to the sale of personal information, and the right to delete posted personal data.
While the tech industry vowed to fight the initiative, two senators came to a deal with Mactaggert and backed a scaled-back bill instead. Mactaggert withdrew the initiative from the voter ballot and the CCPA bill was passed and signed into law by the California State Legislature on June 28, 2018.
CCPA vs. GDPR
CCPA is similar, but not identical, to GDPR. In fact, if you are already working to comply with GDPR requirements, you likely already have some of the CCPA-mandated privacy capabilities in place.
Both mandates are variations on the theme of data privacy and differ in their definitions of protected individuals and data, for example, the CCPA definition includes protection of information linked at the household or device level (like browsing and search history). They also differ in the security measures they require–GDPR mandates that reasonable security and privacy measures are in place. CCPA itself does not specifically outline such preventative measures, but they are implied. The Attorney General for California recommends the use of My stomach turn from Things I say was then that's what happened such things as the CIS Common Security controls.
In general, CCPA has less requirements and is more “business friendly” than GDPR. While California consumers protected by the CCPA can request to invoke certain rights (such as the Right to Deletion of personal data) the consumer is required to pay a fee to compensate the business for the time and effort required to fulfill the request.
There has no doubt been a recent swell of activism in privacy and data rights. While California is the first state in the US to pass such legislation, the consensus is that other states–and even the US at large–will follow suit. Some predict eventual global online privacy laws. Either way, it’s imperative that businesses and consumers pay attention to this issue.
Starting with GDPR compliance and CCPA training for your company is a great way to evaluate whether or not you are currently in line with privacy and security mandates and will help you prepare for more to come.
What rights does CCPA give to CA residents?
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
What does CCPA compliance entail?
The bulk of CCPA compliance will consist of policies and processes in place for when consumers want to exercise their rights. For example, businesses must have a “do not sell my personal data” link on their homepage. And if there’s a request to exercise a right, the business must comply within 45 days.
The areas that businesses will likely need to spend resources on include:
- Inventory and mapping of in-scope data and any activities involving “selling” data
- Consumer right to personal data access and personal data deletion
- Consumer right to opt out of sale of personal data
- Looking at third-party data processors: updating service agreements
- Information security: updating systems and processes to protect data and prevent breaches
The time, money, and detail required for these activities will vary based on variables like business size, business type, number of data records, and current systems and processes.
It may seem like compliance with laws like CCPA and GDPR are pro-consumer and put a burden on businesses, but in reality, these measures are extremely beneficial to a company’s security stance and should not be ignored, regardless of laws. Security- and Privacy-related laws and mandates like GDPR, CCPA, PCI DSS, HIPAA, HITRUST, NIST, and others are all striving for the same goal: to make the world a safer place for everyone.
What are CCPA noncompliance fines?
If the Attorney General of California cites a business with failure to comply with CCPA, a route of action will be created, and the business will have 30 days to “cure” any violations. If noncompliance continues, penalties are $2500 per violation or $7500 per intentional violation, and there is no ceiling to CCPA damages. Consumers who have been harmed by a company’s noncompliance with CCPA may seek $100 to $750 per incident.
If noncompliance continues, penalties are $2500 to $7500 per intentional violation, and there is no ceiling to CCPA damages.
CCPA Education and Training
Even if the CCPA doesn’t apply to you as a law, it’s still best practice to be familiar with and implement measures that will help you properly protect and handle the data which you are a steward over. Data security mandates protect you and your data subjects, and as we expect lawmakers to enact similar laws, it’s in your best interest to educate yourself sooner rather than later.
The best first step to compliance is education. It’s a good idea to learn if and when this law might apply to your business, especially if you do business with California resident data.
Our CCPA workforce training is a great way to make sure your entire organization is familiar with CCPA. Our trainings improve employee understanding of security best practices through interactive quizzes. You can easily monitor training completion, renewal deadlines, and training quiz scores among your employees. Easily accessible support and role-based courses provide support throughout the training process.
If after the research and training phase you find that you still have questions, I would suggest finding an organization to consult with to move to the next level. SecurityMetrics offers these services for both privacy and security.
Good luck in your efforts to learn and comply with CCPA, and just remember . . . keep your stick on the ice.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.