CCPA Requirements

The Californian Consumer Privacy Act (CCPA) was signed into law in June 2018. Many data privacy experts have compared CCPA to Europe’s latest data protection legislation, the General Data Protection Regulations (GDPR). Much like GDPR, CCPA has changed how businesses that operate in California collect, share, and use consumer data. CCPA hopes to protect consumers against the misuse of their data by introducing new security requirements for organisations. Businesses that fall under CCPA’s jurisdiction must be fully compliant with the legislation from 2020 when the legislation comes into effect.
Who is required to comply with CCPA?
Any business that collects consumers’ personal information which does business in California and which satisfies one or more of specific criteria must comply with CCPA.
If a business has annual gross revenues over twenty-five million dollars ($25,000,000), possesses the personal information of 50,000 or more consumers, households, or devices, or earns more than half of its annual revenue from selling consumers’ personal information, they are required to comply with CCPA. Exceptions to these requirements can be found at CCPA’s website.
CCPA Consumer Rights Requirements
CCPA grants new rights to individuals, following GDPR’s example. CCPA grants these rights to Californian residents who have had their data collected, processed, or sold by an organisation which falls under CCPA’s scope.
• Right to be informed as to the categories of information being collected
• Right to be informed of the purposes for which the data will be used
• Right to know what information the business holds on the consumer
• Right to request that a business deletes any information on the consumer • Right to refuse the sale of the consumer’s information to a third-party
• Right not to be discriminated against if the consumer does not permit the sale of their data
Organisations are required to respect these rights. If an organisation is found to be ignoring a consumer’s rights, there may be signifiant consequences.
CCPA Data Security Requirements
CCPA focusses on consumer rights. Unlike GDPR, CCPA does not stipulate particular data security requirements, such as encryption, should be in place to protect data. However, CCPA requires that organisations have adequate safeguards ensuring that unauthorised individuals cannot access consumer information.
Encryption is a popular method to protect sensitive data. Organisations may also redact information so that if an unauthorised individual were to access it, there would be limited personally identifiable information (PII) available for the thief to use for malicious purposes.
Organisations should fix any security gaps and system vulnerabilities to create robust cybersecurity framework to protect consumer data.
CCPA has also introduced new legislation surrounding data breaches. CCPA allows individuals to pursue legal action against companies obtained data that was accessed by an unauthorised individual or stolen following a data breach. Consumers might sue an organisation if it was found that the company was negligent in ensuring that proper cybersecurity safeguards were in place to protect consumer data. Consumers may receive between $100 and $750 without needing to prove that they were harmed in the data breach.
The threat of legal action highlights the importance of following all of CCPA’s data privacy and security requirements to organisations.