The California Consumer Privacy Act was signed into law in 2018 and went into effect on January 1st, 2020. With the EU’s GDPR paving the way, CCPA has a significant impact on how enterprises manage security and compliance for user data, as well as how data breaches are handled.
Simply put, the CCPA gives residents of the state of California greater control over their personal data, requiring companies to be more transparent about the data collected and stored about consumers. Businesses with practices in place to comply with GDPR are at an advantage, however, CCPA has some key differences that should be addressed separately from GDPR.
We’ve discussed the CCPA before, however, there have been several recent amendments in addition to the various iterations of these regulations since the original proposal.
As of the time of this blog post, these changes are being finalized and will start being enforced by the California Attorney General (AG) on July 1st, 2020. Now is the perfect time to make sure your organization is CCPA compliant.
At its core, the CCPA grants consumers with the following new rights:
The right to deletion will be familiar to anyone exposed to GDPR’s “right to erasure” or “right to be forgotten”.
Businesses will also be prohibited from selling the personal information of consumers aged 13-16 unless the consumer specifically opts-in. Consent from a parent or guardian is also required if the consumer is under the age of 13.
It’s essential for all businesses with ties to California, even if seemingly indirect, to know where personally identifiable information (PII) is, and how to relate each piece of information to specific consumers.
There are many important definitions regarding CCPA, including:
Personal Information – “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes names, alias’, physical addresses, online usernames, IP addresses, biometric information, geolocation data, SSNs, driver’s license numbers, passport numbers, employment information, and more that’s considered “other similar identifiers”.
What’s especially interesting is that this can include inferences drawn from all this information, including consumer profiles reflecting preferences, characteristics, trends, behavior, etc.
Consumer – “A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”
Essentially this covers everyone who lives in California, even if they are temporarily out of the state. However, visitors to the state of California are not covered by the CCPA (ex. visit is of temporary or transitory nature).
Collect – “Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”
Sell – “Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
These are very broad definitions, that could be covered by larger transactions that do not obviously include the sale of user data and personal information (for example, website cookies). Business can’t be too careful under CCPA legislation.
Business – “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information…”
This definition of “business” goes on to outline which businesses are affected by CCPA, which we’ll outline in the next section.
The CCPA’s domain can have a wide reach, including if your business doesn’t directly deal with the state of California in an obvious capacity. If your organization has collected any data from a California resident (for example, through website cookies) then you may need to comply with CCPA.
CCPA affects for-profit businesses that collect personal information from CA residents and meets one of the following:
There are some exemptions, although they can be complex and other aspects of a business may force compliance with CCPA regardless. Exemptions include:
Despite these exemptions, and with other privacy regulations like EU GDPR in mind, businesses should still implement protections for user data (especially PII) and understand where data resides as well as who has access to it. The benefits go far beyond legal requirements such as CCPA and EU GDPR.
At a high level, the EU’s GDPR has a broader scope than the CCPA, both in terms of geographical and legal scope. For example, GDPR applies to private companies, non-profits, public bodies, and public institutions. By comparison, the CCPA affects for-profit businesses that meet the aforementioned requirements.
Another key difference is regarding consent. For many purposes, GDPR pushes organizations towards requiring opt-in for data collection rather than requiring opt-out like the CCPA does.
When it comes to exemptions, the CCPA is more generous and includes specific, categorical examples for scenarios where CCPA does not apply. GDPR exemptions are far fewer and less specific.
Finally, the definition of a “consumer” is broader under GDPR, with personal data being referenced in relation to “data subjects” that have less well-defined citizenship/residency requirements.
Failure to comply with CCPA regulations can result in various fines:
The California AG has even issued multiple advisories to consumers to know and exercise their new rights under CCPA (especially during the COVID-19 public health emergency), and many consumers have already started acting.
CCPA-related lawsuits in 2020 include:
Businesses will have a chance to remediate CCPA violations within a 30-day window before the California AG may file an enforcement action.
CCPA has certainly been given life and is here to stay. Businesses can and will be tested to prove CCPA compliance, ranging from simple consumer Data Subject Access Requests (DSAR) to compliance and disclosure in the event of a complex, full-scale data breach.
Businesses regulated under CCPA need to make sure consumers can exercise their new rights, cannot hinder consumer rights, cannot charge for services related to consumer rights, and cannot limit the quality of service for consumers who have exercised their rights.
Requested (required) information must be disclosed and delivered to the consumer within 45-days of the initial request and must include the 12-month period preceding the request. 90-day extensions for disclosure are available, although not always granted.
Like preparing for GDPR compliance, businesses should follow certain core CCPA compliance standards:
Locating and classifying user data is an important first step towards CCPA compliance, as is continuously auditing for this type of information. When possible, encryption of data at rest is also a useful step towards protecting personal information in the event of a data breach.
If data is no longer needed for business or regulatory purposes, it should be securely archived or deleted. This lessens the impact a potential data breach could have, as less user data is exposed.
Organizational users should only have access to data that’s necessary for their role’s functions. By limiting data access to essential workflows and users, less data is exposed via open access and may be more difficult for attackers to reach in the event of a breach.
Businesses need to be able to quickly respond to consumer DSAR requests, gather all personal information associated with that consumer, provide that information to the consumer, and potentially delete that information.
This also includes opt-out requests for the sale of personal information, which should be easily accessible via a “Do Not Sell My Personal Information” link on the company website. Users should also be informed of cookie usage and data collection on the site as soon as they arrive and should be required to agree to the policy before proceeding.
Regarding disclosure, businesses must make available to consumers two or more designated methods for submitting requests for information required to be disclosed. This includes, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address.
Finally, it’s also a good practice to maintain records of consent for users under the age of 17 as well as opt-out and data deletion requests.
In order to comply with CCPA requirements, Stealthbits provides a range of capabilities that allow customers to identify, secure, and report on consumer data and Personally Identifiable Information (PII).
Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s privacy data footprint.
Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy.
Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with CCPA and a myriad of other regulatory standards.
For the CCPA definition of personal information, Stealthbits can help with that as well:
The CCPA grants consumers, “various rights with regard to personal information relating to that consumer that is held by a business”, and requires businesses to, “implement and maintain reasonable security procedures and practices” to do so. Stealthbits can help:
Finally, Stealthbits can also help with legal breach notification rules via StealthDEFEND’s real-time threat detection and response:
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.