We now live in an era of big data. Consumers are sharing significant quantities of information with businesses and organisations at an unprecedented rate. Legislators, policymakers, and governments across the globe have been slow to change their laws to ensure that these organisations are adequately protecting the data entrusted to them. The EU made headway in May 2018 by introducing the General Data Protection Regulations (GDPR), which implemented new standards in data protection and granted individuals new rights over their data.
While the US has laws protecting specific types of data, such as the Health Insurance Portability and Accountability Act and healthcare data, no federal laws are addressing general data protection. Following the introduction of GDPR, it was only a matter of time before states introduced laws focussing on information security and data protection.
California became the first state to introduce legislation improving its data privacy laws. Governor Jerry Brown signed the Californian Consumer Privacy Act (CCPA) into law in June 2018, amending Part 4 of Division 3 of The Civil Code of the State of California. Ed Chau, member of the California State Assembly and Democrat Senator Robert Hertzberg authored the bill.
Any organisation that had to alter its business practices to comply with GDPR would find many aspects of CCPA familiar. For example, they both have vast reaches, and organisations across the globe are required to comply with their rules, not just businesses within their jurisdiction.
CCPA is not a perfect mimic of GDPR, however. GDPR has a much broader scope than CCPA. CCPA primarily focuses on the rights that consumers have over their data, whereas GDPR additionally addresses issues about data security. Therefore, it is not safe to assume that if your business is GDPR-compliant that you are also CCPA compliant. Careful attention should be paid to CCPA’s specific stipulations to ensure that your organisation is not accidentally in violation of the new rules.
CCPA affects a vast range of organisations. This article details some of the most vital aspects of compliance. However, if you are in doubt that certain practices within your organisation are CCPA-compliant, it is recommended that you seek the advice of a legal professional.
What is covered by CCPA?
Any business that collects consumers’ personal information which does business in California and which satisfies one or more of certain criteria must comply with CCPA. This rule applies regardless of the physical location of its headquarters. The criteria are:
- has annual gross revenues over twenty-five million dollars ($25,000,000);
- possesses the personal information of 50,000 or more consumers, households, or devices; or earns
- more than half of its annual revenue from selling consumers’ personal information.
Exceptions to these rules may be found on CCPA’s website.
CCPA protects the data of California residents. CCPA protects these consumers even their data is collected while they are temporarily located outside of California. Businesses must still comply with CCPA if a Californian consumer’s data is collected while they are outside of California.
It is essential that an organisation has a thorough understanding of what CCPA means by “information”. Section 1798.140(o) states that CCPA regulates any data relating to a person, household, device, or inferences drawn from other information to create a profile about a consumer. This definition of information is much higher than that invoked by GDPR.
To illustrate this point, some examples of personal information include: online identifiers, IP addresses, email addresses, biometrics, products or services purchased, browsing history, and educational and employment information.
CCPA does not cover information that may be publicly available or created due to conduct outside of California’s borders.
CCPA Consumer Rights Requirements
Much like GDPR, CCPA grants new rights to individuals, allowing them more control over their data. CCPA grants these rights to Californian residents who have had their data collected, processed, or sold by an organisation which falls under CCPA’s scope.
The most important rights are:
- Right to be informed as to the categories of information being collected
- Right to be informed of the purposes for which the data will be used
- Right to know what information the business holds on the consumer
- Right to request that a business deletes any information on the consumer
- Right to refuse the sale of the consumer’s information to a third-party
- Right not to be discriminated against if the consumer does not permit the sale of their data
Organisations may need to radically change their business practices to ensure that they can fulfil their obligations to consumers and act efficiently if a consumer exercises any of their rights.
CCPA Data Security Requirements
One of the primary differences between GDPR and CCPA is how the two pieces of legislation address data security. Article 32 of GDPR is entirely focused on encryption and stipulates data security requirements that must be in place to protect consumer data.
In contrast, CCPA does not outline any particular data security requirements. CCPA does require organisations to have adequate safeguards ensuring that unauthorised individuals cannot access consumer information.
Many data security experts suggest encryption as a robust security safeguard that would help businesses comply with data security laws. Organisations may also redact information so that if an unauthorised individual were to access it, there would be limited personally identifiable information (PII) available for the thief to use for malicious purposes.
While addressing other issues of compliance, organisations should take this opportunity to perform a thorough audit of their cybersecurity framework and fix any security gaps and system vulnerabilities.
CCPA and Data Breaches
CCPA has also introduced new legislation surrounding data breaches. CCPA provides a right of action to individuals for data breach incidents. That is to say, CCPA allows individuals to pursue legal action against companies obtained data that was accessed by an unauthorised individual or stolen following a data breach. Consumers might sue an organisation if it was found that the company was negligent in ensuring that proper cybersecurity safeguards were in place to protect consumer data. Consumers may receive between $100 and $750 without needing to prove that they were harmed in the data breach.
CCPA fines are applied per violation, with a maximum of $7,500 for an intentional violation. There is no cap to the amount an organisation may be fined. CCPA does not include sanctions for non- compliance, and fines are only applied if a breach occurs. This point is significantly more lenient than GDPR; a company may be fined under GDPR if they are deemed at risk of a breach or willfully ignoring GDPR’s laws.
These fines are an excellent incentive for organisations to ensure that they have proper security frameworks in place to reduce the risks of a data breach, and to ensure that data is protected such that if a breach were to occur, unauthorised individuals would have a hard time using the information for nefarious purposes.
CCPA Compliance Checklist:
- Identify the data that is created, received, stored and transmitted, including shared with consultants, vendors and other third-parties
- Identify all threats to the integrity of consumer data; this may include anticipating how accidental data breaches may occur in addition to preparing against the threat of a cyber attack
- Assess what measures are in place to protect data and if they can be updated to newer, more robust technologies
- Determine the potential impact of a data breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels
- Review all company policies and procedures individually and assess whether they must be updated to comply with CCPA
- Review and update internal and online privacy policies to comply with the disclosure requirements of the CCPA, such as to disclose consumers of their right to opt out of the sale of their data
- Assess whether consumer data is being collected in a CCPA-compliant manner
- Assess whether the organisation can act efficiently if a consumer exercises any of their rights, such as the right to access their data
- Train staff on the importance of data protection and consumer rights
CCPA has revolutionised how businesses collect, share, and process the data of Californian residents. By enforcing strict compliance requirements, CCPA is forcing businesses to reevaluate their methods and practices, CCPA aims to improve the level of data security in California and allow citizens to have more control over their information. Other states are likely to follow in California’s footsteps and create similar data privacy laws with similar compliance requirements.
CCPA is a complex piece of legislation and businesses must pay careful attention to its stipulations to ensure compliance. Organisatiosn should seek legal counsel to assist them in navigating CCPA’s strict requirements.