Cavirin‘s Anupam Sahai discusses the factors that determine whether the CCPA impacts an organization, what the requirements are if so and what action you can take to prepare for it.
Just when you thought you had a handle on GDPR, businesses have a new legislation to worry about: the California Consumer Privacy Act (CCPA). The CCPA stipulates that California residents should have greater access to and control over personal information held by businesses. In particular, the law seems targeted to online social media firms (e.g., Facebook) that have been reckless with their users’ personal information over the past few years. With the number of data breaches to date, are we really that surprised that something like this is coming into effect?
CCPA will become effective on January 1, 2020, but will not be enforced until six months afterward. However, the new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored and shared within the previous 12-months. So, come July 1, 2020, if a company has collected personal information from January 1, 2019 onward, the consumer has the right to find out exactly what data a business has collected, they can opt out from the company selling their data and they have the right to ask for their data to be deleted – or, as the GDPR regulation puts it, the right to be forgotten.
Key Takeaways Regarding CCPA
It’s only fitting that California would be the first state to enact something that people are referring to “America’s GDPR.” After reviewing the bill, here are some of the key takeaways. The CCPA:
- Is the first U.S. consumer privacy law addressing consumer rights outside of federally regulated entities.
- Provides legal rights to the consumer, any California resident, in deciding what personal data collected over the past 12 months can be kept and/or used (under certain conditions).
- Requires businesses to make disclosures about the consumer information they store and for what purpose — any of the information is being transferred/purchased by third parties.
- Requires businesses to make it easier for consumers to request information. All access requests must be exported in a user-friendly format and all consumer requests for the past 12 months must be tracked, because companies can charge after two requests.
- Requires businesses and their service providers to delete personal information based on consumer requests (opt-out option).
- Allows consumers can restrict businesses from selling their personal information to third parties (opt-out option).
- Prohibits discrimination against the consumer for opting out and/or charging the consumer who opts out a different price for the same service.
- Prohibits businesses from selling the consumer data of minors under the age of 16 unless there was an appropriate opt-in selected. Teenagers between 13 and 16 years of age can directly opt in, while children under the age of 13 require parental consent.
- Grants enforcement power to the California Attorney General.
- Goes into effect on January 1, 2020, but will not be enforced until July 1, 2020.
- Is looking to stop companies that have been leveraging consumer information (sometimes without the consumer’s knowledge) to obtain financial benefit, which may not be aligned with the consumer’s understanding of the information usage. These types of organizations are: internet providers delivering value added via over-the-top (OTT) services (AT&T DirecTV, Verizon Oath, etc.); social media firms; advertisers; online retailers; and non-banks (fintech firms).
Prior to this law, consumers had little to no control of their information (excluding federally regulated entities), nor did they have the ability to find out what was kept or sold and/or who had access to that information.
If a company is notified of a CCPA violation, it is granted a 30-day period to meet compliance and avoid penalties. If non-encrypted or non-redacted consumer information is compromised because of the failure to have reasonable security measures in place, consumers may seek damages from $100 to $750 per consumer per incident.
Are You Impacted?
The new legislation will affect businesses located inside and outside of California. It specifically applies to for-profit businesses (sole proprietorships, partnerships, limited liability companies, corporations, associations or other legal entities) that collect and process the personal information of California residents and sell inside/into the state of California.
Additionally, impacted businesses must fall into one of the following categories:
- Annual gross revenue is in excess of $25 million;
- Annually possess the personal information of more than 50,000 California consumers, households or devices (Note: This one is a bit tricky, since the definition of a device is “any physical object that is capable of connecting to the internet [directly or indirectly] or another device (i.e., USB stick, mobile phone, vehicle diagnosis information, etc.);
- Earns more than half of its gross annual revenue by selling consumers’ personal data; or
- Controls or is controlled by a CCPA-covered business or shares common branding with a covered business.
How Do I Prepare?
First off, don’t delay! CISOs and management teams should not wait to plan and execute a compliance plan, since CCPA goes into effect January 1 and the information collection has already begun.
Start by following these five steps:
- Initiate A Readiness Assessment – Look at the regulations and procedures already in place at your organization in order to evaluate whether processes need to be updated or created altogether.
- Incorporate New Business Processes
- Document all uses of the data and map where personal (consumer) data is stored and transmitted
- Update data service provider agreements to ensure they comply with CCPA (including ability to de-identify the consumer data)
- Toll-free telephone number for request for information by consumers
- Authentication of consumers
- Track number of consumer requests in past 12 months
- Timeframe to deliver the data after the consumer request is authenticated (45 days)
- Update Website to Address New Requirements – Clear and conspicuous link on the business’s internet homepage titled “Do Not Sell My Personal Information” that allows the consumer to opt out; consumer password-protected account and/or for consumer-authorized representative.
- Improve Cybersecurity – Implement a well-defined security program (ISO 27001, NIST CSF); encrypt all consumer data at rest (prevents inappropriate usage); strengthen your organization’s cybersecurity posture with up-to-the-minute compliance and risk analysis and remediation, utilizing a scoring system that assesses the threats to data, ranks the risks of the detected vulnerabilities and addresses the high-risk gaps first.
- Train your team – Updated employee training is mandatory for those who will be facing consumers and handing the consumer information.
How CCPA Compares to Current and Proposed Federal Regulations
Given the new Congress, there are a number of initiatives in play to extend CCPA-type regulations to the federal level, as well as other state regulations. One issue is that many of the larger internet properties are pushing for what some call a “watered-down” version of the privacy act, which would be at odds with California and others.
How this will play out is anyone’s guess, and as of this month, it is the main sticking point in debate. Turning back to the present, CCPA does not override any of the current federal laws that organizations may be subject to. These include GLBA (Gramm-Leach-Bliley Act) for financial institutions, HIPAA for health care, FCRA (Fair Credit Reporting Act) for consumer credit rating, FERPA (Family Educational Rights and Privacy Act) for educational institutions and the DPPA (Driver’s Privacy Protection Act) for driver records. In parallel, both the California Electronic Communications Privacy Act and the California Confidentiality of Medical Information Act are not impacted.
I believe if you implement a well-defined security program (ISO 27001, NIST CSF) or you have implemented the GLBA requirements on a global level, then CCPA will be a piece of cake.