The California Consumer Privacy Act (CCPA) provides residents with rights to protect their personal information from unauthorized use or sale. Part of California Civil Code—§§ 1798.100 to 1798.199—the CCPA gives consumers more control over their personal data by subjecting uncompliant businesses to fines and exposing them to civil lawsuits.
Let’s jump in and learn:
What Is the California Consumer Privacy Act (CCPA)?
The CCPA went into effect in 2020 as the most comprehensive privacy legislation in the United States. For-profit businesses transacting in California or collecting California consumers’ personal information must comply with CCPA requirements.
While the CCPA is aimed at bolstering consumers’ privacy rights, it puts a significant operational burden on businesses. Compliance with the CCPA is a major concern for any business that engages with California residents.
Why It Exists
Historically, California has been a data privacy pioneer. In 1972, voters added privacy to the California Constitution’s list of inalienable rights of the people.
However, the state’s legislation fell behind technological capabilities. The issue noted in the bill is “the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy.” The CCPA, Assembly Bill 375, was passed to close the gap.
What It Means for Business
With nearly 40 million residents, California is a critical global marketplace. Regardless of the channel, California residents’ personal data is acquired by businesses around the world. To avoid potential fines and civil lawsuits, businesses that do not explicitly block transactions with California residents are required to comply with all requirements of the CCPA.
Data Covered by the CCPA
The CCPA protects individuals’ personal information. The ultimate objective of the CCPA is to stop unwanted and unauthorized use of personal information by businesses and their partners.
Personal information is coveted, and thus protected, because of inferences that can be drawn through the aggregation of multiple pieces of personal information.
The data covered by CCPA can be used to make a profile about a consumer. This is what the law aims to prevent.
Whose data is protected by the CCPA?
The CCPA applies only to the personal information of consumers who are California residents and covers California residents that leave the state temporarily. It does not apply to those visiting California on a temporary basis.
When is personal information excluded from the CCPA?
Although the CCPA gives consumers the right to opt-out of the sale of personal information, it does not apply to the disclosure (as opposed to sale) of personal information to third parties. If a consumer uses or directs a business to disclose personal information or uses the business to intentionally interact with a third party, the CCPA rules do not apply. That is assuming the third party does not sell the consumer’s personal information.
Definition of personal data
Under the CCPA, personal information is defined as any information that could be associated with a particular consumer or household—directly or indirectly. The law specifies a number of examples of personal information, but makes clear that the list is not exhaustive.
The CCPA definition of personal data includes:
- Real name
- Postal address
- Unique personal identifier
- Online identifier
- Internet protocol address
- E-mail address
- Account name
- Social Security number
- Driver’s license number
- Geolocation data
- Professional or employment-related data
- Education-related information
Key Provisions in the CCPA
The CCPA affords California residents far-reaching rights to protect their personal information. These rights fall into the following categories.
- Right to be informed about what personal information is being collected, how it is being used, and with whom it is shared.
- Right to opt-out of having personal information be sold.
- Right to be forgotten (i.e., right to be deleted) allows consumers to request that their personal information be erased. (NOTE: There are exceptions, including those businesses can still keep information to protect against fraud or to comply with other legal obligations.)
- Right of access allows consumers to obtain “the specific pieces of personal information” that have been collected about them, along with the sources of that information, the purpose for collecting or selling that data, as well as third parties with which the information is shared.
- Right to non-discrimination consumers can exercise rights over their data without fear of discrimination—specifically “the right of Californians to equal service and price, even if they exercise their privacy rights.”
Response to consumer rights requests
Businesses must respond within 45 days when a consumer submits a personal information request. According to the CCPA, personal information must be provided at no cost unless the business can prove that the request is “manifestly unfounded or excessive.”
The information can be provided on paper or digitally. If delivered in electronic format, the CCPA states that the “information shall be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.”
The CCPA requires businesses to provide four types of notices to consumers. These must be clearly written in easy-to-understand language and accessible to all consumers. Therefore, they must accommodate for disabilities as well as be available in the language(s) spoken where a company conducts business.
- Notice at the time of data collection
Consumers must be advised about how their personal data will be used. Businesses must have the explicit consent of consumers to use this information for the purpose stated or for new purposes.
- Notice of the right to opt-out
Consumers have the right to opt-out of the sale of their personal information from one business to another organization.
- Notice of financial incentives
Consumers must be provided with a description of any incentive, material terms, how to opt-in, how to withdraw, and an explanation of why the incentive is permitted under the CCPA.
- What information the business collects
- Why it collects that personal data
- Who the business may share the data with, and why
- How the business collects the data
- Who the consumer can contact if they wish to know more about how their data is used or stored
- What the consumer’s rights are regarding the data
Data breach lawsuits
The CCPA makes it possible for consumers to sue businesses in the event of a data breach. However, under the CCPA, consumers can only sue businesses if certain types of personal information have been subject to unauthorized access and were not encrypted or redacted. This includes consumers’ first name (or first initial) and last name in combination with any of the following:
- Social Security number
- Driver’s license number
- Tax identification number
- Passport number
- Military identification number
- Other unique identification number issued on a government document commonly used to identify a person’s identity
- Financial account number
- Credit card number
- Debit card number, if combined with any required security code, access code, or password that would allow someone to access the account
- Medical or health insurance information
- Unique biometric data, but not including photographs unless used or stored for facial recognition purposes
Not all organizations and data are required to meet CCPA compliance requirements. CCPA exemptions include:
- Data collected by:
- Nonprofit organizations
- Government agencies
- Businesses that operate “wholly outside” of California
- Data regulated by other laws, such as:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- California’s Confidentiality of Medical Information Act
- De-identified information— “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer”
- Aggregated information— “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device”
- Certain types of publicly available information— “information that is lawfully made available from federal, state, or local government records”
Companies That Must Comply
All for-profit businesses that do business in California and meet any of the following criteria must comply with the CCPA:
- Have gross annual revenue of over $25 million
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
- Derive 50% or more of their annual revenue from selling California residents’ personal information
Penalties for Non-Compliance
The California attorney general enforces compliance with the CCPA. If a CCPA violation is considered intentional, the fine is $7,500 to be paid to the state. If the violation is deemed unintentional, the fine is $2,500.
In the event of a data breach, companies not only face state penalties, but can be liable for statutory damages under the CCPA.
Businesses that fail to implement reasonable security measures, as specified by the CCPA, can be subject to civil lawsuits filed by consumers. If a business experiences a data breach and is considered to have allowed unreasonable access to data, the company can be made to pay statutory damages that range from $100 to $750 per consumer.
Steps to Compliance
CCPA is very complex legislation that can be applied differently to different companies—depending on how they collect and use personal information. Following are several broadly applicable considerations for CCPA compliance.
Review personal data collection
The CCPA sets forth specific rights to consumers regarding their personal data. For all personal and sensitive information collected, it is important to know:
- What data is being collected
- Where the data is stored
- What is being done with the data
- Whether the data is shared with or sold to third parties
If data is collected for a business by a third party, this information should also be part of that data flow mapping.
Refine privacy notices
To meet CCPA requirements, businesses must provide consumers with specific privacy disclosures at or before the point of data collection. These policies should be reviewed annually.
- What information a business collects
- Why it collects that data
- Who the business shares the data with, and why
- How the business collected the data
- Who the consumer can contact for information about their personal data
Provide an option for customers to opt-out
Consumers should be given the opportunity to tell a business that they do not want their personal information sold. According to the CCPA, there must be a link on a business’s home page that clearly says, “Do Not Sell My Information.” This should go to a landing page where visitors and consumers can request opt-out of having their personal information shared or sold to third parties.
Age restrictions that replace the general opt-out include:
- The company must collect opt-in consent to sell the personal information of a consumer under the age of 16 years old.
- Consumers between 13 and 16 years of age must affirmatively authorize the sale of their personal information.
- A parent or guardian must affirmatively authorize the sale of information if the child is under the age of 13.
Have a plan for consumers’ data subject access requests
Businesses should be prepared to respond to consumers’ requests about how their personal information is being used. The CCPA states that these requests must be responded to within 45 days and at no charge. These requests can include:
- Providing consumers with copies of their personal information
- Deleting the personal information of consumers who request such action
- Explaining what categories of personal information are sold or shared with third parties
Keep security updated—software, hardware, and physical
The CCPA requires businesses to make updates to their software and computer systems to protect against data breaches, such as installing patches in a timely manner. Physical security should also be considered, as it is another potential vector for data breaches. Regular vulnerability assessments can help with this by identifying risks such as:
- Unencrypted data
- Bugs in software or programming interfaces
- Hidden code or backdoors
- Automated scripts run without malware scans
- Superuser and admin account privileges
- Unpatched security vulnerabilities
- Physical site weaknesses
Train teams—internal and partners
Once CCPA protocols are documented and plans are put in place, it is critical that everyone involved with data—internal and partners—understands the rules and the consequences of failures. Training sessions should cover the following topics:
- What CCPA compliance entails
- How the CCPA impacts the business
- How the CCPA applies to business, visitors to websites, and consumers
- Who is considered a “consumer” under the CCPA
- How to handle data subject access requests
The CCPA and Data Security
Under the CCPA, businesses are required to implement and maintain “reasonable security procedures and practices” to protect consumers’ personally identifiable information or PII.
The CCPA states that:
any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…
At its heart, the CCPA has a goal of maintaining and protecting the confidentiality, integrity, and availability of data.
- Confidentiality Protecting data from unauthorized disclosures
- Integrity Protecting data from unauthorized, or unintentional, modification or deletion
- Availability Making data readily accessible to authorized users
The CCPA does not explicitly define “reasonable security procedures and practices,” but statements made by the California attorney general have endorsed the Center for Internet Security’s (“CIS”) Critical Security Controls. Among these are specific measures businesses can take to provide reasonable security, including the following:
- Create a data inventory that maps the flow of sensitive information
- Remove sensitive data not regularly accessed by the business
- Monitor and block unauthorized network access
- Monitor and detect any unauthorized use of encryption
- Minimize sensitive data by destroying any that is no longer needed
- Encrypt the hard drives of all mobile devices
- Manage USB devices
- Encrypt data on USB devices
Industry best practices also provide guidance on how what “reasonable security procedures and practices” should be employed to meet CCPA’s compliance requirements. The following are some of the most commonly used, and go beyond cybersecurity to include information governance:
- Encryption and redaction of all data that contains personal information
- Strong network security systems and protocols
- Safeguards for physical documents
- Disposal policy for data that is no longer required
- E-mail security
- Password management
Do Not Rely on the CCPA Safe Harbor Clause
While the CCPA has a safe harbor clause, it does not protect against civil lawsuits if “actual pecuniary damages” were incurred. CCPA compliance requirements can be met with proper planning and maintenance. Follow best practices and stay on top of amendments to the CCPA.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.