A Practical Guide to CCPA for U.S. Businesses

Published on October 3, 2018
A Practical Guide to CCPA for U.S. Businesses

Inspired by Europe’s General Data Protection Regulation (GDPR), the State of California has set a new precedent with the passage of the California Consumer Privacy Act (CCPA). The major data incidents last year have driven citizens into a frenzy about securing their data, and states have rushed to developing and passing policies and legislation. California has become the first state to pass anything similar to the GDPR in the United States. This, of course, sets the precedent and will likely become the go-to model for other states. If you store or process customer data in your business, then this article is for you. In the coming years, businesses across the United States can expect to see a surge of privacy-based policy both on the state and national level.

CCPA Basics & Clarification

The CCPA was developed based on a previous policy, the GDPR and recent data breaches. As stated in AB-375, in 1972 voters amended the California Constitution to include privacy as an inalienable right. The CCPA expands this to include digital data, stating, “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” The policy itself cites previous attempts to safeguard the privacy of California citizens. However, nothing like the CCPA has been attempted before. The policy also cites the Cambridge Analytica incident, which violated the trust and privacy of Facebook users. Included in section 2 of the CCPA are the following “rights” defined as the ultimate goals of the policy:

  • (1) The right of Californians to know what personal information is being collected about them.
  • (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • (3) The right of Californians to say “no” to the sale of personal information.
  • (4) The right of Californians to access their personal information.
  • (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

While these rights are the stated goals of the policy, they do not capture the full requirements and innovation that is within the policy. There is still a need for clarification on some aspects and nuances in the policy, but that is to be expected. Let's expand on the major provisions of the legislation.

Who is Covered by the Act?

The act covers “consumers,” who are defined under section 1798.140 as natural persons who reside in California. Consumers are now provided rights regarding their “personal information,” which is defined as “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Section 1798.40 then defines what is included under personal information:

  • “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
  • “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.”
  • Biometric information
  • “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”
  • Geolocation data
  • Professional or employment information
  • Non-public education information
  • Metadata, or “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

This act impacts all companies who handle this type of data of any California citizens.

Who Must Comply

There has been some confusion over compliance with the popular assumption being that all businesses will have to comply. The reality in the bill could not be more different. According to section 1798.140(1) for-profit businesses who collect and control California residents’ data, conduct business in the state of California, and meet one or more of the following requirements must comply:

  • Generate $25 million in gross annual revenue or more
  • Handle data of more than 50,000 people or devices
  • 50% or more of revenue comes from selling personal information

Right to Know

Consumers now have a right to know what personal information a business has collected about them, how/where it was sourced from, how the data is used, if there is a disclosure or sell of the information and what other parties have access to the information. This can be fulfilled by way of a general disclosure in the privacy policy of the company or can be made available with more specific information upon request from a consumer.

Right to Opt Out 

Consumers have the right to opt-out of their information being sold. It is this provision that may cause some disruption for companies with models similar to Facebook or Google. For consumers under the age of 16, businesses cannot sell their data without written opt-in from the consumer or their parent.

Right to Delete 

Consumers have a right to deletion; however, there are some important exceptions to this rule. Business do not have to comply with a request for deletion if there is a need to maintain the data in order to:

  • Complete a transaction between the consumer and the organization
  • Maintain adequate cybersecurity or to prosecute attackers
  • Repair errors for service functionality
  • Exercise free speech
  • Comply with chapter 3.6 of the California Electronic Communications Privacy Act
  • Ensure the success of public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws.
  • Enable internal uses of the data in line with expectations of the user based on past relationship
  • Comply with a legal obligation
  • Use the data for internal purposes that align with the context of the data provided.

Right to Equal Service

If a business discriminates against consumers for exercising their rights from the CCPA, they will be in violation of the act. Section 1798.125 defines service discrimination as the following:

  • Denial of goods or services to a consumer
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
  • Providing different levels of service quality to a consumer if they express their CCPA rights
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services

Businesses may also offer financial incentives for the collection, sale, or deletion of consumer data. Consumers must provide an explicit opt-in into such incentive programs. Section 1798.125 also vaguely states that businesses cannot use “financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.”

What Does Enforcement Look Like?

The CCPA will be enforced by the California Attorney General. The civil penalty for each violation of the CCPA is $7500; however, this includes a 30-day cure period. In addition to action from the state’s Attorney General, consumers also have the explicit right to action under the CCPA. This means that consumers individually or as a class may seek statutory or actual damages if their personal data is exposed, exfiltrated, stolen, or disclosed due to poor security practices. Statutory damages have a maximum limit of $750 per incident per consumer in a given case.

Step-by-Step Guidance 

Below are the critical steps your company will need to follow for compliance with the CCPA. Keep in mind while California has set the standard for privacy policy in the United States, each state may develop different variations and may take privacy protections beyond what has been established.

Step One: Update Privacy Policies & Notification

In May 2018 consumer inboxes were flooded with privacy policy update emails. So much so it became a meme, actually. Companies in California have been required to post a privacy notice since 2003 due to the California Online Privacy Protection Act. For the CCPA companies will now be required to include the following in their privacy notices:

  • What categories of personal information are being collected and the purpose of use
  • Explicitly make clear the categories of personal information collected, shared, or sold
  • Make clear that consumers have the right to opt-out of the sale of their information
  • Include all privacy rights that California consumers may now exercise

Due to some differences in rights afforded to the consumer, companies may want to consider having separate policies for California consumers and European citizens. This will help avoid confusion to meet compliance for the CCPA and the GDPR.

Step 2: Business Processes & Data Management

Companies who meet one or more of the requirements of the CCPA will need to keep better track of data their company interacts with. Databases will have to be established to monitor and manage all data processing activities. This extends to internal business processes and any activity that is shared between your business and third parties. Companies will need to track if the data they are handling with be used for sale at any point. Additionally, companies will need to track what specific categories of data are being shared with third parties. This will overlap with other federal policies such as HIPAA or PCI, which will also need to be identified for exemption from CCPA compliance.

Step 3: Consumer Rights Requests

This is quite possibly the most important aspect of the new policy. Businesses will need to implement protocols to handle all consumer request in regards to their personal data. This means preparing for when a consumer says no to the sale of their data. In another case, a consumer may also say you’re not allowed to disclose their data to any third party. This falls under business processes since any request made by a consumer will impact operations, sales, and marketing. This can be achieved using technology, but management will still need to prepare to process requests while not preventing the overall mission of the organization. As a reminder, the rights that businesses will need to honor are the following:

  • Right to Notice
  • Right of Access
  • Right to Know
  • Right to Delete
  • Right to Opt-Out
  • Right to Incentive Notice
  • Right to Non-Discrimination

To ensure you can cover all your bases to make this happen, let’s review how you can achieve the structural capability to do this.

  1. Establish and maintain a database (records system) to monitor all data flows in your organization. Personal data will need to have a primary source that the rest of the organization will use to fulfill CCPA requirements.
  2. Establish a request process in your company for consumers to use. This can be a dedicated webpage for requests to be made, a dial-in number, fax number, or an application.
  3. Establish protocols to authenticate requests. You will need to verify the request is coming from the actual person before you process the request. Additional protocols will need to be established for documentation, response, blocking sale, and deletion. Keep in mind that some requests will not have to be honored, and if you do deny a request, be sure to specify why based on the CCPA.
  4. Employees will need to be trained on the new processes, and they need to be able to carry out requests correctly.
  5. Synchronize the CCPA database with other datasets to ensure that consumer records are up to date. The last thing an organization wants is approve a sale of data when a consumer explicitly requests that their data not be sold.
  6. In product development, ensure that consumers do not face a worse experience for simply exercising their rights. Develop incentives for the use and sale of their data, but product/service quality cannot deteriorate because of a rights request.

Step 4: Adopt Risk-Based Security Practices

Both the CCPA and GDPR require “reasonable” security measures. Given the need to protect against data breaches from external criminals and internal trusted associates, a risk-based approach to security is necessary. It is important to go beyond the bare minimum requirements for security that policy often outlines. Threats are always multiplying; however, the vectors of attack remain limited. Risk-based security considers the vulnerabilities of an organization and works to mitigate the risk of an attack in general, regardless of origin. By leveraging advanced data loss prevention technology paired with strong insider threat mitigation practices, companies can ensure a high degree of security than other companies that ignore both of these aspects of security now.

Step 5: Data Supply Chain Agreements 

While the term “supply chain” is typically used in the context of manufacturing, the idea of a data supply chain is not too farfetched given the value of data in today’s world. Businesses will need to know the entire lifecycle of the data they collect, process, and use. Third-party data processors whom companies may rely on will need to ensure they are meeting the compliance. This means that companies will need to ensure that contracts with third-party data processes are improved to comply with CCPA requirements. Be sure to do the following:

  • Require vendors to have a data inventory database to better manage and process rights requests
  • Require documentation of processing and a record of right request fulfillment
  • Require synchronized data mapping standards between yourself and all your suppliers to better manage data
  • Make sure there is a distinction between the transfer of data for processing to achieve your mission and the transfer of data for a sale.

No matter what, the CCPA will disrupt your current data supply chain in some way. You will want to be prepared for this. Third parties who are processing data may not always be located in the state of California or even in the United States. It is important to make clear to them what is at stake for non-compliance and be sure the processor does not hinder your ability to meet compliance with the CCPA.

What Comes Next

Privacy has become the catalyst for major changes in how we collect, process, and use data in the business world. The GDPR has set the standard for privacy policy globally, and the CCPA is an example of a local adaptation of the ideas from the GDPR. Businesses would be wise to reduce their regulatory risks and costs by investing in security and preparing themselves by performing the steps outlined above.

Isaac-Kohen-e1516132030511.jpg

About the Author: Isaac Kohen is the Founder and Chief Technology Officer of Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions. Follow on Twitter: @teramindco and connect on LinkedIn. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!