The California Consumer Privacy Act (CCPA) is a new data protection bill that will come into effect on the 1st of January 2020. The CCPA is designed to give Californian citizens more control over how their personal data is stored and processed.
Under the CCPA, companies must demonstrate that they are able to identify, delete or quarantine personal data in a timely manner, as per the data subjects request. Additionally, should a company experience a data breach which resulted in the theft/misuse of personal data, they must be held accountable.
Although, breach notifications were a requirement of the original specification, this was repealed in subsequent drafts. Instead, before notifying the authorities, individuals will be required to pursue their own lawsuits – notifying the business 30 days before initiating legal proceedings.
Regardless, a failure to comply with the CCPA may result in fines of up to $2,500 per violation, assuming the security incident was accidental, and the company failed to respond to the incident within a period of 30-days. For security incidents that are deemed intentional, fines can reach as much as $7,500 per violation.
Who Does the CCPA Apply to?
The CCPA covers businesses that collects and sells the personal information of California consumers. However, not all businesses in California are bound by this new mandate. Companies must have an annual revenue of $25 million or above, possess the data of more than 50,000 consumers, households or devices, or earn more than half of its revenue through the selling of consumer data.
There are also a few other exemptions to help organizations who hare already bound by other similar compliance acts. For example, healthcare entities covered by HIPAA, financial organizations covered by the Gramm-Leach-Billey act and credit agencies under the Fair Credit Reporting Act are all exempt from CCPA.
What Personal Information is Covered By CCPA?
Any “personal information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly, or indirectly, with a particular consumer or household” will fall under the remit of CCPA. This is a relatively broad definition of personally identifiable information (PII), especially in the language used. To help, legislators have specified a few examples of covered data, including email addresses, IP addresses, biometric information, geolocation data, search histories, online profiles and more.
Four CCPA Definitions to Know About
Like most compliance regulations, the CCPA is cluttered with acronyms and phrases that need defining in order to fully understand. Below are four key phrases that you need to be familiar with in order to meet CCPA compliance:
2. Opt-out: The opt-out clause gives data subjects the right to deny companies the right to sell their data to third parties.
3. Right to be forgotten: Companies must delete a data subject’s personal data, should they request it.
4. Right to privacy without penalty: Should a data subject exercise their privacy rights, companies must adhere to their requests without requesting any additional forms of payment.
CCPA Penalties, Fines and Enforcement
The CCPA will be enforced by the California Attorney General. However, consumers will be able to bring legal action for statutory damages ($100 to $750) per violation or actual damages (whichever is greater) using private attorneys. Remember, to be liable for statutory damages there doesn’t actually have to be proof of the damage, just proof that the company broke the law.
CCPA Preparation with Lepide
The first step towards achieving CCPA compliance is to find out where personally identifiable information (PII), and other forms of sensitive data, is and classify it accordingly. Lepide provides a data classification solution that allows companies to scan their content for sensitive information such as PII, PCI, PHI, and so on. It also allows for automatic tagging and scoring of data, and lets you define classification rules which can be applied both at the point of discovery, and creation. Lepide can even remove false positives from their discovery and classification using proximity scanning to make the process more accurate and reliable.
Knowing where your personal data resides will make it a lot easier to respond to Subject Access Requests (SARs), which include accessing or deleting data, upon request from the data subject.
For those who wish to prevent a given company from selling their personal data, a separate category could be set up and assigned to their data. Access rights can then be assigned to this category, preventing certain members of staff, such as those in the marketing department, from gaining access to the data.
Not only do companies need to know where their personal data is stored, but they also need to monitor all changes to this data, along with the privileges that have been assigned to it. Lepide is able to do this through data access governance and user behavior analytics.
As they say, it’s not a matter of if, but when a security incident occurs, and as with other relevant compliance requirements, companies must be able to provide evidence that they took the necessary precautions when storing and processing personal data. Lepide is able to automatically generate a wealth of customized reports, which can be presented to the supervisory authorities on demand; helping companies avoid potentially large fines.