With the introduction of the GDPR, Europe showed the world that it was taking data privacy and data security laws seriously. Whatever your opinions are on the effects of the GDPR and how GDPR breaches are being handled, it can’t be denied that the thinking behind it is rational.
It was only a matter of time before other countries followed suit.
In the USA, there is still yet to be federal regulations matching the stringency of GDPR compliance, but individual states have begun to implement their own versions of the compliance regulation. On the 1st January 2020, California will implement their own GDPR-like compliance mandate – the California Consumer Privacy Act (or CCPA).
The CCPA will introduce a wave of new data security and data privacy rights for consumers in relation to how their personal data is collected, stored and processed. Companies have until the first day of 2020 to become compliant.
The Objectives of the CCPA
The CCPA has three main objectives to improve how the personal information of consumers is handled by organizations. The first objective is to provide consumers with the awareness of the type of information that enterprises are collecting. The second is to provide more rights to consumers about how their information is shared or sold with third parties. And the third is to provide added protection to consumers against enterprises that are not taking privacy and security seriously.
Who the CCPA Applies To
Businesses that must comply with the CCPA are any entity doing business in California operating for the profit or financial benefit of its shareholders that collects the personal information of consumers. Businesses that meet these criteria must also meet at least one of the following thresholds to qualify for CCPA compliance:
- Annual gross revenue of over $25 million
- Collects (buys, receives or sells) the personal information of 50,000 or more consumers, households or devices on an annual basis
- Gets 50% or more of its annual revenues through the selling of consumer personal information
There are a few key exemptions from the CCPA. Notably, if you are a healthcare provider already covered by HIPAA or a financial services provider covered by Gramm-Leach-Billey. Essentially, if you are already compliant with another major compliance regulation then CCPA should be a walk in the park.
A Few Key Definitions Within the CCPA
Compliance regulations in general can tend to be vague when it comes to defining specific terms used, and the CCPA is no different. We’ve already defined who the CCPA considers to be a covered entity – and that definition appears to be straightforward.
The definition of a consumer, however, is slightly vaguer and worth making a note of. It is defined as any person residing in the State of California. A resident is defined as either someone who is in the state for more than just a temporary or transitory period, or an individual who lives in the state but is outside of the state for a temporary or transitory period.
Similarly, the definition of personal information is generously vague (as is the case with a large number of compliance regulations). In general, personal information is data that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” In other compliance regulations, this kind of data is often referred to as personally identifiable information (or PII).
The CCPA does provide a list of examples of data that falls under this definition, including names, addresses, property records, biometric data, browsing history, passport numbers etc. If you want to be safe, you should assume that any information you collect on an individual should be considered personal information and kept appropriately secure and private.
You can refer to the full list if you want to read through all the examples.
Consumer Rights Under the CCPA
As we previously mentioned, the CCPA aims to give consumers greater insight and control over how their personal information is collected, stored, processed and shared. This is achieved through the implementation of four specific consumer rights.
Right to Access: California consumers will be able to formally request that covered entities disclose to them exactly what information has been collected, where it has been collected from, why it has been collected, who it will be shared with and more.
Right to Opt-Out: If a California consumer does not want a covered entity to sell or share their personal information, they have the right to opt-out – effectively preventing that covered entity from doing so.
Right to Deletion: California consumers have the right to request that covered entities delete the personal information that they have collected should they wish to have it deleted.
Right to Equal Service and Price: This is a caveat that protects California consumers from being discriminated against should they exercise the rights of the CCPA. Essentially, covered entities cannot deny goods and services to consumers that have exercising their rights under the law.
How Businesses Can Achieve and Maintain CCPA Compliance
In broad terms, organizations should take four steps towards achieving CCPA compliance. These steps can be transferred to most other compliance mandates that focus on the security and privacy of consumer data.
Locate the personal information of consumers: You need to be able to discover and classify the personal information of California consumers so that you know exactly where this sensitive data resides in your data sources.
Govern access to that data: Ensure that you know who has access to that data that you have classified and take steps to implement appropriate access controls. It’s recommended that you adopt a policy of least privilege or zero trust, where users only have access to the data they need to do their job.
Ensure users are misbehaving: Analyze the behavior of those users with access to personal information. Make sure that they are not moving, copying, modifying, renaming or taking any unauthorized action that could affect the security and privacy of the data.
Be able to respond to requests quickly: Make sure you set up the necessary systems and processes to be able to respond to requests from consumers. You need to ensure you make available at least two methods of consumer requests (such as email and phone), and that you are able to respond and comply with these requests promptly.
To help you classify your sensitive data, govern access, track user behavior and spot threats, you can leverage a solution like the Lepide Data Security Platform. If you would like to see an example of how the Lepide Data Security Platform can help you achieve and maintain CCPA compliance, schedule a demo with one of our engineers today.