With the introduction of the GDPR, Europe showed the world that it was taking data privacy and data security laws seriously. Whatever your opinions are on the effects of the GDPR and how GDPR breaches are being handled, it can’t be denied that the thinking behind it is rational.
It was only a matter of time before other countries followed suit.
In the USA, there is still yet to be federal regulations matching the stringency of GDPR compliance, but individual states have begun to implement their own versions of the compliance regulation. On the 1st January 2020, California will implement their own GDPR-like compliance mandate – the California Consumer Privacy Act (or CCPA).
The CCPA will introduce a wave of new data security and data privacy rights for consumers in relation to how their personal data is collected, stored and processed. Companies have until the first day of 2020 to become compliant.
The Objectives of the CCPA
The CCPA has three main objectives to improve how the personal information of consumers is handled by organizations. The first objective is to provide consumers with the awareness of the type of information that enterprises are collecting. The second is to provide more rights to consumers about how their information is shared or sold with third parties. And the third is to provide added protection to consumers against enterprises that are not taking privacy and security seriously.
Who the CCPA Applies To
Businesses that must comply with the CCPA are any entity doing business in California operating for the profit or financial benefit of its shareholders that collects the personal information of consumers. Businesses that meet these criteria must also meet at least one of the following thresholds to qualify for CCPA compliance:
- Annual gross revenue of over $25 million
- Collects (buys, receives or sells) the personal information of 50,000 or more consumers, households or devices on an annual basis
- Gets 50% or more of its annual revenues through the selling of consumer personal information
There are a few key exemptions from the CCPA. Notably, if you are a healthcare provider already covered by HIPAA or a financial services provider covered by Gramm-Leach-Billey. Essentially, if you are already compliant with another major compliance regulation then CCPA should be a walk in the park.
A Few Key Definitions Within the CCPA
Compliance regulations in general can tend to be vague when it comes to defining specific terms used, and the CCPA is no different. We’ve already defined who the CCPA considers to be a covered entity – and that definition appears to be straightforward.
The definition of a consumer, however, is slightly vaguer and worth making a note of. It is defined as any person residing in the State of California. A resident is defined as either someone who is in the state for more than just a temporary or transitory period, or an individual who lives in the state but is outside of the state for a temporary or transitory period.
Similarly, the definition of personal information is generously vague (as is the case with a large number of compliance regulations). In general, personal information is data that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” In other compliance regulations, this kind of data is often referred to as personally identifiable information (or PII).
The CCPA does provide a list of examples of data that falls under this definition, including names, addresses, property records, biometric data, browsing history, passport numbers etc. If you want to be safe, you should assume that any information you collect on an individual should be considered personal information and kept appropriately secure and private.
You can refer to the full list if you want to read through all the examples.
Consumer Rights Under the CCPA
As we previously mentioned, the CCPA aims to give consumers greater insight and control over how their personal information is collected, stored, processed and shared. This is achieved through the implementation of four specific consumer rights.
Right to Access: California consumers will be able to formally request that covered entities disclose to them exactly what information has been collected, where it has been collected from, why it has been collected, who it will be shared with and more.
Right to Opt-Out: If a California consumer does not want a covered entity to sell or share their personal information, they have the right to opt-out – effectively preventing that covered entity from doing so.
Right to Deletion: California consumers have the right to request that covered entities delete the personal information that they have collected should they wish to have it deleted.
Right to Equal Service and Price: This is a caveat that protects California consumers from being discriminated against should they exercise the rights of the CCPA. Essentially, covered entities cannot deny goods and services to consumers that have exercising their rights under the law.
How Businesses Can Achieve and Maintain CCPA Compliance
- The type of information you collect and process
- The reason(s) why you collect and process this information
- The means by which you collect and process information
- The means by which users can request access to, edit, move or delete their information
- The protocols for verifying the identity of the person who submits a request
- The means by which a user can opt-out of the selling of their data
The Sale of Personal Data
The CCPA doesn’t prohibit the sale of personal data, however, users must be allowed to opt-out via a link which says, “Do Not Sell My Personal Information”.
The link must be placed on your website’s homepage, it must be clearly visible, and the process must be as simple as possible. You must not force users to create an account before opting out.
For users between 13 and 16 years old, consent must be explicitly obtained before selling their data. If the user is younger than 13 years old, you will need to obtain consent from their parents or guardians.
Under the CCPA, when a user submits a request to access their data, the organization is required to verify the identity of the person who submits the request, to ensure that they are not handing over personal data to fraudsters.
The problem, however, is that the law does not clarify what qualifies as “verified”. This may encourage organizations to use sub-standard protocols and solutions to satisfy the verification requirement, thus potentially creating a security risk.
In an ideal world, businesses would carry out a KYC (Know-Your-Customer) or AML (Anti-Money Laundering) check, to verify a user’s identity. Alternatively, they could implement some form of biometric authentication protocol, such as face-based authentication, combined with a government-issued ID. However, the reality is that most companies don’t have the time or resources to utilize either of these solutions.
Another option would be to use an online identity verification service, which are relatively fast, affordable and convenient. Either way, businesses must ensure that they have robust protocols in place to verify the identity of their users.
Data Discovery and Classification
One of the most important things an organization can do to ensure that they are compliant with the CCPA, is to ensure that they know exactly what personal data they have, and where it is located.
Most organizations stored large amounts of unstructured data, such as photos, audio-visual content, word documents, spreadsheets, and so on. A lot of this unstructured data will contain PII, yet many organizations are failing to identify it.
Trying to sift through vast archives of unstructured data is simply not feasible for most organizations, and so they will need to leverage technologies that can automate the process. There are a number of solutions on the market which can automatically discover and classify a wide range of PII, and can be configured to match the requirements of the most prominent data privacy laws, such as GDPR, HIPAA, SOX, PCI-DSS, CCPA, and more.
Such solutions are invaluable when it comes to protecting PII and satisfying the relevant compliance requirements. After all, if an organization is not able to respond to a subject access request (SAR) in a timely manner, they may be subject to a hefty fine, or some other form of disciplinary action. It should be noted, however, that these solutions do have some drawbacks, in that, they are only able to discover data that is in plain text. However, it won’t be long until these solutions are able to leverage the power of AI to detect PII in different forms of media.
Auditing and reporting
In addition to locating PII, organizations are required to provide information about the way they collect, store, process and trade personal data. The CCPA stipulates that this information should cover a period of up to 12 months prior to the SAR. In which case, organizations must keep a log of all activity that takes place relating to PII and be able to search and filter this information in a timely and efficient manner.
Doing this manually would be a slow and painful process and would require the help of specialized personnel. A DCAP (Data-Centric Audit & Protection) solution is able to aggregate log data from multiple sources (including the most popular cloud-storage platforms) and present this information via a single dashboard. Events relating to the user who is requesting access can be located in just a few clicks, and a pre-defined report can be automatically generated that is customized to satisfy the CCPA compliance requirements.
It is also worth noting that, these days, most sophisticated DCAP solutions come with data discovery and classification functionality built in.
To help you classify your sensitive data, govern access, track user behavior and spot threats, you can leverage a solution like the Lepide Data Security Platform. If you would like to see an example of how the Lepide Data Security Platform can help you achieve and maintain CCPA compliance, schedule a demo with one of our engineers today.