The California Consumer Privacy Act of 2018 (CCPA) was signed into law in June 2018 and put into effect on January 1st, 2020, to respond to growing instances of businesses exploiting data privacy through poor data handling policies or data breaches.
The CCPA gives Californian consumers greater transparency into how their sensitive personal information is handled. California was the first state to implement such strong data collection and handling laws, and its data security framework will likely become a blueprint for all other states.
Under the CCPA, California residents have a right to:
- Know when their personal data is collected by businesses
- Know when their personal data is being sold to, or shared with, a third party
- Deny the sale of their personal data
- Have their personal data deletion request honored
As part of California's new privacy law movement, this landmark move mirrors the consumer data protection posture outlined in the European Union’s General Data Protection Regulation (GDPR) and Canada's propositions in Bill C-11. CCPA regulations also offer Californian businesses guidance on adhering to this law.
In November 2020, the California Privacy Rights Act (CPRA) was passed as an amendment to the CCPA, adding many additional consumer privacy rights. CCPA and CPRA are often used interchangeably, both discussing the same privacy regulations.
Similar data privacy laws are either being considered or are already implemented in Nebraska, New York, and Washington. This article will examine how this law could impact businesses and how your organization can become CCPA-compliant.
Important: The provisions of the CCPA have been amended and expanded in the California Privacy Rights Act (CPRA). To learn about the CPRA, read this post.
Who Must Comply with the California Consumer Privacy Act?
The CCPA applies to for-profit businesses that have business operations in California and meet any of the following criteria:
- Gross annual revenue of $25 million or more.
- Process personal information for over 50,000 Californian residents, households, or devices (including buying, receiving, or selling data).
- Attribute the sale of California residents' personal data to at least 50% of their annual gross revenue.
CCPA compliance is not limited to businesses physically located in California.
Any business located outside of California must still comply with CCPA regulations if it:
- Offers Californians the opportunity to purchase their products or services,
- Collects any personal information from Californians (such as IP addresses of web visitors), or
- Shares branding with a business that's bound to the CCPA.
The CCPA does not apply to non-profit businesses.
Learn how to comply with the third-party risk requirements of the CCPA >
How Does the CCPA Define Personal Data?
The enforcement of this law depends on the CCPA's classification of personal data. Under the CCPA, a consumer's personal information includes any data that identifies, connects, or relates to an individual and/or their household.
This includes the following categories of personal information:
- Email addresses
- Social Security numbers
- Records of purchased products
- Internet browsing history and search history
- Geolocation data
- Biometric data
- Driver's license numbers
- Inferences from other sources that can be used to create a profile about an individual's preferences and characteristics
How Does the CCPA Differ From the GDPR?
The CCPA has a broader classification of personal data compared to the European Union's (EU) GDPR.
Unlike the GDPR, the CCPA expands its threshold of privacy practices to also households. Any data subject identifying an individual or household could be liable to CCPA regulations.
Another difference between the two regulations is that the (GDPR) applies to any organization establishing a private data inventory for EU citizens. CCPA compliance, however, is only expected of businesses that meet any of CCPA's three thresholds.
CCPA and the Current California Data Breach Notification Law
The CCPA does not impact current data breach notification obligations under Section 1798.82 in the State of California, meaning organizations are not required to report data breaches under the CCPA. However, businesses and state agencies must still notify California residents whenever an unauthorized party gains access to their unencrypted personal data in a data breach under the current California Data Breach Notification Law. Businesses can submit data breach notifications via this online portal.
Businesses suffering a breach impacting more than 500 California residents must submit a sample copy of the breach notifications to the California Attorney General. This notification must exclude any personal information identifiers.
The CPRA also established the California Privacy Protection Agency (CPPA) to help the California Attorney General enforce the notification laws.
California residents have the right to access all data breach notification submissions via this search engine.
How Should Businesses Respond?
The following data breach mitigation actions should be implemented in response to the resilient security posture expectations that still apply to all Californian businesses:
- Review mandatory cybersecurity frameworks - Businesses should review all mandatory cybersecurity regulations in their industry, such as HIPAA, PCI DSS, COBIT, NIST, ISO, etc.
- Implement cybersecurity frameworks - Even without mandatory compliance, implementing popular cybersecurity frameworks can significantly raise cyber resilience levels.
- Secure third-party attack surface - 60% of data breaches result from compromised third parties. A third-party attack surface monitoring solution will surface any third-party vulnerabilities increasing the risk of supply chain attacks and third-party data breaches.
- Review incident response plans - Ensure that all existing incident response plans support the rapid containment of data breaches and their notifications.
How to Comply with CCPA Requirements
Each of the key provisions of the CCPA detailed below is supported by a summary of how businesses should respond to attain compliance.
Automatic disclosure of personal data processing practices
Under the CCPA, businesses must:
- Notify consumers of the categories of personal data being collected at or before the instance of the collection.
Businesses must also update the following details in the data collection policies on their website every 12 months:
- A detailed description of consumer rights under the CCPA. This should include the right to data deletion and the right to opt-out of the sale of personal data.
- A detailed description of how to submit data deletion requests.
- An honest breakdown of all the categories of personal data sharing and selling practices in the last 12 months.
Businesses are not obligated to honor requests to disclose personal data handling practices from the same customer more than twice in 12 months.
Track CCPA compliance with this free template >
How Should Businesses Respond?
In response to this provision, businesses should:
- Publish a description of consumer rights under the CCPA and make this information readily accessible from the homepage.
- Publish privacy notices describing the commercial motivations behind the collection and sale of personal data.
- Establish internal policies for accurately responding to all CCPA privacy protection inquiries.
- Implement processes that accurately identify the categories of consumer personal data being collected, shared, and sold.
Consumers have the right to request the complete deletion of their personal information
Under the CCPA, consumers have the private right of action to request the deletion of all collected personal data.
In most situations, businesses must immediately comply with these requests. However, exceptions apply for the following scenarios:
- When this data is necessary to complete a transition or to provide a service requested by the customer.
- When this data is required to debug or repair expected product functionality.
- When this information is necessary for the detection or investigation of cyber threats.
How Should Businesses Respond?
In response to this provision, businesses should:
- Establish internal processes to honor consumer requests to delete personal data storage rapidly.
- Establish reliable communication channels for responding to data deletion requests.
- Create an internal document delineating probable scenarios where deletion requests are denied.
Consumers have a right to opt out of the sale of personal information
The CCPA empowers consumers to opt out of the sale of their personal data at any time.
Before any customer PII is sold, businesses must provide ample notice to impacted consumers of their intention to sell, alongside instructions on how to opt-out of the inclusion of their data in the sale.
Any third-party service provider that purchased consumer data cannot resell that data unless impacted consumers are given clear notice and provided with an opportunity to opt out of the sale.
How Should Businesses Respond?
In response to this provision, businesses should:
- Include a link on their homepage titled "Do Not Sell My Personal Information," which directs users to a web page explaining how to opt out of the sale of their personal data.
- Not require consumers to create an account to effectuate their intention to opt out.
- Establish processes for tracking all opt-out requests.
All consumers have the right to equal service and non-Discrimination
Should a consumer, or website visitor, elect to exercise their reasonable security rights outlined in the CCPA, the requestee must not:
- Impede the availability of goods and services to the consumer.
- Reduce the quality of customer service for the consumer.
- Charge the consumer at different rates.
- Deny such consumers the use of discounts or coupon codes available to all other consumers.
Penalties for Non-Compliance
Organizations have up to 45 days to respond to consumer requests under the CCPA.
If these requests are not actioned within 30 days, the offending business may be charged a maximum penalty of $7,500 per violation.
Consumers impacted by the unauthorized handling of their data, as outlined in the CCPA, can exercise a private right of action, entitling them to $750 in recovery damages per violation.
How UpGuard Can Help Organizations Become CCPA-Compliant
UpGuard can help organizations and businesses become CCPA-compliant by helping them focus on data security using its industry-leading attack surface monitoring and vendor risk management software. With continuous monitoring services, organizations can be alerted to any potential data breach or data leak regarding business or customer information. UpGuard helps build remediation plans for businesses to secure sensitive data.
Additionally, UpGuard offers a CCPA questionnaire that can help organizations and their suppliers meet CCPA compliance. The entire questionnaire process is automated and managed by UpGuard to ensure an efficient and effective workflow.