No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

CCPA Compliance: Preparing for the California Consumer Privacy Act

What Organizations Will Be Affected and What They Need to Do Now

by Rod Christensen
July 17, 2019
in Data Privacy, Featured
illustration of man's ID on a fish hook

The CCPA, which goes into effect in six months, will cover data beginning in January 2019, so the time to prepare is now. Aparavi’s CTO Rod Christensen discusses the steps companies must take to ensure compliance as soon as possible.

The purpose of the California Consumer Privacy Act (CCPA) is mainly to rein in the use and sale of personal information by large companies for purposes such as advertising. This doesn’t mean the rest of us are off the hook for CCPA compliance, however. Let’s look briefly at some of the reasons the CCPA law may apply to you and what it covers.

Do You Need to Prepare for CCPA?

CCPA in California goes into effect January 1, 2020 and applies to for-profit companies that meet at least one of the following criteria:

  • Has an annual gross revenue of $25 million or more
  • Buys, uses, sells or shares the personal information of at least 50,000 consumers, households or devices within California
  • Receives at least half of its annual revenue by selling consumers’ personal information

While this sounds fairly straightforward, there are wrinkly areas. Here are just a few cases in which you should, or you must, be able to show CCPA compliance:

  • You supply goods or services to a company that is required to comply with CCPA or have a contract with one or otherwise do business with one
  • You fall under one of the rules above, but you’re not based in California, nor do you have a physical location in California
  • You fall under one of the rules above, but you’re a B2B company that doesn’t collect data about individuals
  • You fall under one of those rules above, but you’re a company that de-identifies data collected about individuals, such as for statistical purposes

What if These Don’t Apply to You?

There are some very good reasons you should comply with CCPA law, even if none of this applies to you right now:

  • You have a website that is able to be visited by California residents, and you collect data about those site visitors or their devices
  • You hope to someday have revenues of $25 million or more (#likeaboss)
  • You hope to someday have 50,000 or more customers/users in California
  • You hope to someday supply goods/services to a company required to comply with CCPA
  • You hope to someday sell your business to or merge with a company required to comply with CCPA

Like other data privacy laws, what CCPA considers personally identifiable information is pretty broad and includes IP addresses, browser cookies and clickstreams, in addition to physical or email addresses and other obviously identifying data. (It does not cover personal health information already subject to HIPAA privacy laws, as no one is using that data for sales/marketing without permission of the individual – or at least that’s the idea.)

While who and what constitutes an individual consumer or device may be pretty easy to understand, CCPA includes household data too, which is rather less defined.

And, as mentioned, CCPA law requires covered companies to make sure any third-party suppliers or service providers are also in compliance. This means if a telecom company hires you to cater an office lunch or you are a promotional items company making 500 polo shirts with the logo of a big social media company – tag, you’re it.

Even if you aren’t in California and don’t sell to or deal with anyone in California, keep in mind there are many states that have passed or are discussing similar data privacy laws. You might still want to brush up on your ABCs and think of CCPA requirements as a practice test.

Understanding the CCPA Requirements

There is much more than just storage and software at work here. There are massive policy implications and massive changes to websites that are going to need to happen. While CCPA covers similar ground as the GDPR, it is more specific on data breaches. If private data is breached or exposed, you’re toast. Even if encrypted data is leaked, you are in trouble if there’s any potential that the encryption keys or metadata leaked. The minimum fine is $2,500 per record. If you can’t address the issue quickly, that goes up. If it’s found that a breach is due to a known issue, such as a problem you ignored, that can go up to $7,500 per record.

As with GDPR, the right to be forgotten is the main difficulty from the perspective of IT management, and CCPA adds some interesting twists. For example, if a consumer requests you delete their data, there are some exceptions, such as data you need in order to complete your business with that individual. If you need to mail them a product they’ve paid for or to keep track of their purchase history for tech support purposes, you do not need to grant their request. And if you are under obligation for some legal reason to keep their data, you do not need to grant their request.

Another nuance: A customer can permit you to keep their data, but not share it with or sell it to any third parties. To comply with this, administrators will need to manage files based on these varying requests, perhaps in separate repositories based on the customer’s preference or by flagging or tagging it as either “do not share” or “okay to share.”

A consumer can request access to or removal of their data up to the prior 12 months. So, while the law doesn’t take effect until January 2020, technically it covers data beginning in January 2019, which means the time to start complying with CCPA law is… six months ago.

How to Address CCPA

Seek out data management features that help to comply with the right to be forgotten, protect private data, manage similar data in different ways or different data in similar ways. Advanced CCPA-compliant solutions give you the ability to classify and categorize data with tags so the information can be managed and found. These solutions also provide full-text content search so users can locate and retrieve data without having to know where it’s physically stored.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

Who’s Monitoring IT Assets? “Survey says…”

Next Post

3 Ways to Address the Growing Democracy of Ethics

Rod Christensen

Rod Christensen

Rod Christensen is CTO and GRC Technologist for Aparavi. Prior to his current position, he was the CTO/Vice President of Engineering at NovaStor, where he fostered collaboration among his team of designers and engineers to build quality storage products.” Rod has more than 25 years of experience developing elegant solutions to complex technology problems.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
red hashtag on sea of white hashtags

3 Ways to Address the Growing Democracy of Ethics

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT