CCPA Compliance for Businesses
The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. Its provisions are focused on the protection of consumer privacy and will affect all companies dealing with consumer data in California. Companies will be required to ensure that they have comprehensive compliance policies in place to protect both their business as well as their third parties, ie clients and vendors.
The CCPA is perhaps the most robust consumer privacy act ever passed by any US state. It gives all Californian consumers a right to:
- Know what personal information a business is collecting
- Access the data
- Know whether that data is sold or shared
- Refuse its sale
- Have the data deleted or modified without discrimination
Three key California Consumer Privacy Act (CCPA) terms defined in the legislation are:
- Personal information
In the CCPA, “Consumer” means any non-temporary resident of the state, and is broadly described in the legislation as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations.”
A “Business” is likewise broadly defined as any for-profit enterprise that falls under any one of the following provisions:
- Gross annual revenue over $25 million
- Derives at least 50% of annual revenue from selling data
- Annually buys, sells, shares or receives for commercial purposes, the personal information of 50,000 or more individual consumers, households or devices
The first two definitions include medium and larger businesses as well as all data brokers. The last, however, casts a wide net that will likely only widen over time. For example, many Internet-savvy small businesses and tech start-ups could easily be included under this provision. And yes, data collection also includes the use of web browser cookies that collect and share personal information.
Furthermore, any business that deals with the personal information of California residents is covered by the act, whether that business is based in California any other state jurisdiction in the US, or indeed, anywhere in the world.
“Personal Information” is also broadly defined as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This can include:
- Identifiers (email, license, or IP address)
- Geolocation or biometric data
- Browsing history
- Purchasing history
- Education and work history
- Commercial and financial data
The act gives the California consumer rights to the full disclosure of any and all personal information collected or purchased by any business they have dealings with. On request, any business must freely provide the consumer promptly with:
- Collection categories relevant to that consumer’s personal information
- All the specific data on that personal information
- The data collection methods
- The business purpose for the collection
- Categories of all third parties selling, sharing or purchasing that information
As noted, the consumer then has the right to refuse sale and request modification or deletion. Their privacy rights will be enforced by the California Attorney General.
Intentional violations of the California Consumer Privacy Act (CCPA) can attract fines of up to $7500 per violation. However, businesses have 30 days to address these. Data breaches can also attract claims of between $100 to $750 per incident.
Given the huge growth in data collection and sharing over the last decade, the potential for rapidly escalating fines and damages for privacy violations should be apparent. Doing business in California that deals in the collection of personal information in any form, will now require the development of consumer privacy policies that directly address the provisions of the CCPA. Some examples include:
- Develop clear privacy and data collection policies
- Develop an organized database for reporting
- Know the specific CCPA requirements for your business
This would generally be followed by data mapping to identify how a business collects and uses personal information, who the data belongs to, and with whom it’s shared or sold. This information would then be used to develop appropriate data management practices that allow for quick and easy database searches, in order to compile a consumer report detailing what personal information has been collected, at no cost to the consumer.
There are also specific requirements in the CCPA applying to some businesses that will, for example, require training customer relations staff in the privacy rights legislation, or providing top-level opt-out links on the website with the label “Do Not Sell My Personal Information.”
Interactive Security, Inc. has been at the forefront of providing industry leading expert information technology security services to clients across the globe – focused on IT Security Auditing & Compliance.
We pride ourselves on Making ~ IT COMPLIANCE OBTAINABLE, SIMPLE AND AFFORDABLE.
Vulnerability / Penetration Assessments ~ Application Security ~ PCI DSS ~ HIPAA ~ HiTRUST ~ ISO 27001 ~ FEDRAMP ~ FISMA/NIST ~ GDPR ~ Privacy Shield