The EU GDPR took the world by storm, upping the compliance ‘ante’, causing other countries to follow suit in protecting consumer privacy. While the United States hasn’t implemented any federal regulation of this sort, many states have begun to implement their own regulations at the state level. For California, the clock has already begun ticking with the California Consumer Privacy Act (CCPA), a GDPR like regulation with a compliance timeline of January 1st, 2020.
The
CCPA introduces sweeping legislation providing consumers with new rights in
regards to the collection of their personal information. The regulation has three primary goals to
provide consumers
- The knowledge of what type of personal information large corporations
are collecting related to them
- The right to control whether a business is allowed to share
or sell one’s personal information
- The right to protections against businesses which are not
taking the appropriate measures to secure consumers’ privacy
Important Definitions
There
are several definitions set forth within the CCPA, but of the most important
are the concepts of a business, consumer, and personal information. It is
integral to understand what constitutes these categories to truly understand
the scope of the CCPA.
The
CCPA defines an applicable “business” as any entity that operates for the
profit or financial benefit of its shareholders that collects consumers’
personal information that does business within the State of California that meets
one or more of the following thresholds
- Has an annual gross revenue in excess of $25 million
- Annually buys, receives or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information
The definition of a consumer is rather vague but is defined as a natural person who is a resident of California, with a resident being defined as one of the following:
- An individual who is in the state for
other than a temporary or transitory person
- An individual who is domiciled in the
state who is outside the state for a temporary or transitory purpose
The
definition of personal information is quite broad, being defined as information
that identifies, relates to, describes, references, is capable of being
associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or device, including, but not limited to:
- Identifiers such as a real name, alias, postal
address, unique identifier, internet protocol address, electronic mail address,
account name, social security number, driver’s license number, passport number,
or other similar identifiers;
- Any categories of personal information
enumerated in Civil Code 1798.80, including, but not limited to, his or her
name, signature, social security number, physical characteristics or
description, address, telephone number, passport number, driver’s license or
state identification card number, insurance policy number, education, employment,
employment history, bank account number, credit card number, debit card number,
or any other financial information, medical information, or health insurance
information.
- Characteristics of protected classifications
under California or federal law
- Commercial information, including records of
property, products or services provided, obtained, or considered, or other
purchasing or consuming histories or tendencies
- Biometric data
- Internet or other electronic network activity
information, including but not limited to, browsing history, search history,
and information regarding a consumer’s interaction with a website, application,
or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory,
or similar information
- Psychometric information
- Professional or employment-related information
- Inferences drawn from any of the information
identified above
- Any of the categories of information set forth
in this subdivision as they pertain to the minor children of the consumer.
Refer
to the initiative for a
full list of relevant definitions
Consumer Rights
Defined in the CCPA
The
purpose of the CCPA as stated in the initiative is to ‘further the
constitutional right of privacy by giving consumers an effective way to control
their personal information’. This is achieved through the provision of several
consumer rights.
- Right to Access: California consumers will have the right to request that a business that collections personal information about the consumer disclose to the consumer the types of personal information that has been collected, the sources from which this information was collected, the purpose for collecting this information, the categories of third parties with whom this personal information has been shared, the specific pieces of personal information that has been collected in regards to the consumer, and the categories of personal information that the business has sold to third parties
- Right to Opt-Out: If for any reason a consumer decides they do not desire to have their personal information sold, they have the ‘right to opt-out’, disabling businesses from selling their information.
- Right to Deletion: Consumers have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request
- Right to Equal Service and Price: In the case that a consumer has exercised any of the rights granted to them through this legislation, businesses cannot discriminate against the consumer by denying goods or services, charging different rates for goods or services, or providing a different level of service to the consumer.
How Can Businesses Prepare for CCPA Compliance?
The CCPA requires businesses to apply strict controls to
ensure consumers can exercise their rights effectively. In order to become and
remain compliant with the CCPA, organizations will have to follow common core
principals as other similar compliance standards:
- Know
where personal information exists: Not only should organizations have an
understanding where there most critical data assets exist, but should also
understand which of that data is personally identifiable.
- Employ
strong Data Access Governance controls: While knowing where this type of information
exists is the first step, ensuring that the right controls are in place to
prevent unauthorized access, and controlling data growth by removing
unnecessary data will be key to ensuring consumer data privacy
- Deploy
the necessary systems to respond to consumer requests: Businesses
will have to provide the proper means for consumers to leverage the rights
granted to them through the CCPA, including making available two or more
methods of submitting requests for information required, as well as being able
to respond to these requests in a timely manner.
Leveraging
cybersecurity software such as that offered by STEALTHbits can streamline some
of these necessary functions by providing the means to
- Discover the repositories that contain data assets
- Determine which of this data is personally identifiable
- Ensure that the proper data controls are in place by providing an understanding of who has access to what, and how they are leveraging that access
- Monitor for real-time threats
- Deploy policies to prevent unauthorized access to critical or sensitive information
To learn more about how STEALTHbits addresses CCPA compliance, visit https://www.stealthbits.com/california-consumer-privacy-act-ccpa-compliance
Leave a Reply