In the past, this may not have been seen as that much of a threat, but with the recent stances of data breach and identity theft, this is becoming a serious privacy concern. People are now more concerned about their privacy, and they want their data to be stored in a safe place away from prying eyes.
This is exactly why the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR) were created. Both of these are designed to safeguard a consumer’s personal information. The GDPR is already in effect, and it is only a matter of months before the CCPA will also go into effect.
What is CCPA?
The CCPA is designed to protect the personal data of consumers and give them more control. In June 2018, the California legislature passed this bill to target all enterprises that collect, store or sell a consumer’s data residing in the state of California. The bill is scheduled to go into effect on January 1st, 2020.
Despite the name of this law, a company does not need to be physically present in California for CCPA to apply to them. Even if the company website serves the state’s residents, they will be obligated to comply with the law. As a result, the CCPA is said to impact 500,000 organizations across the globe.
Who Does CCPA Apply to?
There are a few points that, if met, means that a company needs to be compliant with the CCPA. The following are the points:
- A company that collects personal data from the residents of California
- The company (or their parent company or a subsidiary) exceeds at least one of three thresholds:
- Has an annual gross revenue of at least $25 million
- Obtains personal information from at least 50,000 California households and/or devices per year.
- Obtains at least 50% of its annual revenue from selling consumers’ personal information
If a company fulfills any one of these requirements, it is required to stay compliant with all the regulations associated with the CCPA.
What Rights Do Consumers Have Under This Law?
There are several consumer rights that the CCPA has introduced to protect user data and make enterprises better custodians of this information.
Right to notice: Under the CCPA, consumers have the right to be given a notice by the company before any personal data is recorded and stored. Enterprises need to also inform the consumer if they need additional data or if their data will be used for a new purpose.
This requires an ongoing effort to identify changes in the collection or use of previously collected personal information.
Right to access: CCPA gives consumers the right to request the business to:
- Disclose the categories of personal information that is collected.
- Disclose the source of the information collected.
- Disclose the purpose of use.
- Disclose third parties the information is shared with.
- Disclose specific information the business holds about the consumer.
- If the company sells or discloses a consumer’s information, the consumer has a right to know what information is sold or shared.
Right to opt-out: A consumer has the right to ask the company to stop the sale of their personal information at any point in time. Once opted-out, the company has to wait for a period of 12 months to ask the user to opt back in.
Right to erasure: If an enterprise holds the personal information of a consumer, the consumer has the right to ask the enterprise for deletion. There are certain exceptions in this clause, for example; a company is not required to delete information for detecting security incidents, exercising free speech and protecting or defending against legal claims.
Consequences of Non-Compliance
Failure to comply with the CCPA can lead to class action lawsuits and fines that the company will have to pay. These fines can go up to $7,500 per incidence of non-compliance, which can translate into millions of dollars in fines for companies that have stored personal information of thousands if not millions of users. Organizations will have 45 days to respond to these requests.
Let’s suppose a consumer has sent a request to access their data held by the company. The company has 45 days to respond to the request. Failure to do so can result in fines of up to $7,500. Now consider the same case but there are 10,000 data subject requests; the company will be obligated to respond to all requests within 45 days or risk getting fined $75 million.
What Does My Company Have to Do in Order to Comply?
Companies need to consider how to efficiently comply with CCPA, especially given that personal data may be stored in several different systems across many different organizations within the company (e.g. marketing, sales, IT, etc.). Here are some steps to consider:
- Establish a swift data subject request fulfillment system: Data subjects will be allowed to access data up to the year preceding the implementation of the CCPA. This means a year of data that the consumer can demand to access and erase. Companies will do better off staying prepared now rather than playing catch up.
- Revise website and privacy policies: In addition to revising their own internal policies to be compliant with the CCPA, companies need to modify their web properties, as well. This means that the consumer should have visibility of cookies and have the ability to deactivate these cookies. It is also necessary that there is a proper consent system for the consumer before storing cookies on the website.
- Vendor evaluation: Companies that sell or share the consumer’s personal data to third parties are liable for how these third parties handle personal data. This means organizations should do privacy assessments of all third parties to avoid potential compliance gaps.
- Internal Assessment: Assess the privacy policies of your company and simplify procedures for customers that are sending in a subject request whether for access, deletion or to opt-out. It is also recommended to make a secure database to avoid any potential data breach.
- Employee Training: Train data handlers and processors to send and receive data in a secure manner to avoid any personal data sprawl.
How is CCPA Different from GDPR?
The GDPR (General Data Protection Regulation) came into effect in May 2018. The main purpose of this regulation was to standardize data protection laws in the European Union countries. On the other end, the CCPA only focuses on the residents of California. Although the CCPA and GDPR maybe for the same purpose and are designed upon the same principles, there are some differences between the two.
- Privacy Scope – The GDPR focuses on all businesses that process personal data, whereas CCPA only applies to for-profit organizations that derive 50% of their revenue from selling personal information and purchase personal data of over 50,000 consumers.
- Penalties – The GDPR can fine enterprises up to € 20 million for non-compliance. On the other hand, CCPA fines enterprises for every instance of non-compliance for up to $7,500 per incident. Consumers also have the right to file class-action lawsuits to obtain injunctive or declaratory relief.
- Definition of PI – The GDPR applies to personal data that is publicly available, while the CCPA does not apply to “publicly available” information sourced from government records as long as the commercial data use is compatible with the underlying governmental purpose.
A PrivacyOps Approach
Organizations need to rethink how they handle privacy data and enable more effective and efficient control of that data. Many are considering a PrivacyOps framework that allows for automation and collaboration across various silos to efficiently comply with these new regulations. Only time will tell how CCPA will affect businesses as it goes into effect next year, but it seems clear that the heightened awareness of privacy rights is here to stay.
About the Author: With a passion for working on disruptive products, Anas Baig is currently a Product Lead at SECURITI.ai. He holds a Computer Science Degree and did his Bachelors in Science from Iqra University. His interest includes Information Security, Networking, Privacy, and Data Protection. Twitter @anasbaigdm
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc