What your data security team needs to know about the CCPA
By Ty Sbano
With the emergence of European Union legislation for citizens’ privacy under the General Data Privacy Regulation (GDPR), there is greater global awareness for the expectation of privacy. Within the United States, California continues to be the foremost champion of digital privacy rights.
Enter the California Consumer Privacy Act (CCPA); it’s the start of privacy expectations specific to citizens of the state of California, and will likely lead the charge for the US. The CCPA kicks in on January 1, 2020, but consumers may make requests to in-scope business for the 2019 calendar year.
The immediate recommendation to security, privacy, and compliance specialists is to act immediately, since the “look back” requirement for record-keeping provisions started January 1, 2019.
If your organization is not already in motion with compliance activities, keep in mind that this could result in damages of up to $750 per individual consumer in civil court, and fines of up to $7,500 per incident by the attorney general.
Here’s what your security team needs to know to stay on the right side of the law.
Californians’ rights under the CCPA are granted specifically to “consumers,” defined as residents and employees. Because of this, it is important that organizations include HR systems and internal processes in the scope of their preparation activities.
At a high level, the requirements are that consumers have the ability to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed, and to whom
- Opt out of the sale of personal information
- Access their personal information
- Receive equal service at the same price, even if they exercise their privacy rights
Businesses are defined under article 1798.145. The three criteria are:
- Organizations with annual gross revenues in excess of $25 million dollars
- Organizations that purchase, sell, or share date from more than 50,000 consumers, households, or devices
- Organizations that derive 50% or more of their annual revenue from selling consumers’ private information
Steps to prepare
- Complete a readiness assessment.
- Evaluate your existing data inventory and record-keeping practices to honor CCPA obligations.
- Update or establish your subject access request processes to honor consumer requests for disclosures or their right to be forgotten.
- Deploy privacy training to key employees focused on the CCPA.
- Enhance your online presence to expand on your CCPA commitment and approach.
If all this is intimidating, or you would like more peace of mind for your existing efforts, seek professional, legal, privacy, and compliance services to guide your CCPA journey. But be mindful that most consultants and specialists are also learning by doing.
The main difference is their experience and exposure to previous efforts to deploy GDPR-specific controls and mechanisms. Remember that the CCPA, like the GDPR, does not have a certifying body or a formal certification process, so it is each business’s obligation to interpret and comply with the expected controls.
Commonly, the CCPA has been referred to as GDPR-lite since it is limited to just Californians and has some nuances for protections. If your organization has set the bar to GDPR-level compliance for everyone, you are likely well ahead of the curve with the expected controls of the CCPA.
The primary difference is that the GDPR focuses on opt-in for collection practices, while the CCPA is more focused on the ability to opt out. For any US-based organizations that did not have the obligation to comply with the GDPR or just opted out, it is time to act and ensure that you are strategically planning for the CCPA compliance by looking back. For continued, timely information about the CCPA, you can subscribe to the state’s newsletter about the law.
Federal privacy laws
There is an open question as to whether the CCPA will lead the charge for federal change. Increasing expectations for individual rights will likely spread across the US, with more states creating similar acts and legislation that would logically lend itself to a need for uniformity.
There are similarities between the CCPA and previously implemented state laws with specific breach notifications; California led the charge in 2002, and many states followed suit. The resulting challenge for organizations is managing all the various expectations and unique outlier scenarios related to where citizens reside and how to honor the breach notification requirement in the case of a security incident.
Technology-driven companies will need to rely on geo-location data directly provided by consumers or on real-time services to identify IP traffic, but this could easily be defeated with VPNs. Across the industry, I suspect, there will be challenges where providing proof of residence in order to honor opt-outs may lead to additional data leaks or breaches in privacy.
As a security professional, I believe it would be ideal to see a federal mandate that unifies expectations and subsequently creates an easier adoption path for the private sector.
The legislation is evolving
Assembly Bill No. 375 contains direct references to the massive privacy violation related to the Cambridge Analytica scandal, which increased public awareness for the need for greater oversight, regulation, and individual privacy rights.
With the increase of breaches, US citizens and our legislative bodies have the opportunity to level up their awareness and expectations related to privacy rights. It is very unlikely that the Founding Fathers could have envisioned the connected world we live in today.
Continual societal and technological progress drives the need for rapidly evolving legislation and agility within our government to meet the evolving privacy landscape.
Assembly bill breakdown
- 1798.100—Right to request and access what information has been collected about the consumer and has been disclosed in advance of the collection. No more data or information may be collected without additional consent.
- 1798.105—Right to have information deleted unless technically or legally obligated to retain for processing—e.g., “the right to be forgotten.”
- 1798.110—Disclosures by organizations about the categories and purposes of the data collected.
- 1798.115—If a business sells customer information, it must provide details about the categories and to whom they are selling the information.
- 1798.120—Right to opt out of information being sold to a third party. There is some overlap with 1798.115 because there are additional restrictions for information about minors.
- 1798.125—Businesses will not discriminate (in accessibility, rates, quality, etc.) against consumers if they exercise their privacy rights under CCPA. This section clearly articulates the opportunity to sell personal information in exchange for compensation, better price/rates, or quality of goods.
- 1798.130—Consumers have free access to exercise privacy rights, and businesses should set the expectation of a response within 45 days and at a minimum have a toll-free number or website page with instructions on how to make formal requests. This is also the section that defines the term “look back,” because there is a requirement to cover the 12-month period preceding the receipt of a request. The “look back” scenario is going to occur when January 1, 2020, hits and a consumer makes a request. At that point, a business must provide details for the past 12 months (since January 1, 2019).
- If the organization opts to, it can create a dedicated page to honor CCPA-specific requirements, but many controls are explicitly called out to be accessible via the homepage initially.
- If information is sold, there must be a clear and conspicuous link on website titled “Do Not Sell My Personal information.”
- Access to online privacy policies and California-specific descriptions.
- Awareness for employees about expectations around the CCPA, e.g., training and process documentation.
- Functionality or mechanism to opt out.
- Consumers’ ability to authorize a person solely to opt out on their behalf.
- 1798.140—Definitions of key terminology to articulate scoping criteria.
- 1798.145—Articulation that the CCPA will not restrict a business’s ability to comply with laws, legal matters or requests from law enforcement. Additionally it notes that anyone outside of California is not in-scope and not protected under the CCPA, nor is data related to the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Driver’s Privacy Protection Act.
- 1798.150—Unauthorized access to under-protected personal information can result in a consumer claim submitted to the attorney general, which can result in damages per customer or per incident, in the amount of $100 to $750.
- 1798.155—Business or third-party rights to seek the opinion of the attorney general for guidance on how to comply. Noncompliance may result in civil penalties of up to $7,500 per violation, with 20% going into the Consumer Privacy Fund and 80% to the jurisdiction that is leading the civil penalty.
- 1798.160—Creation the Consumer Privacy Fund within the General Fund in the state treasury to help offset any costs incurred by the state courts related to actions brought by the attorney general.
- 1798.175—Furthers the constitutional right and explicitly supplements the existing laws for the protection of the consumer’s personal information.
- 1798.180—Raising the CCPA as a statewide concern that supersedes all other regulations and laws of the state of California.
- 1798.185—Granting authority to the attorney general to act on or before January 1, 2020, to have public participation to adopt additional regulations.
- 1798.198—Defines the operational date as January 1, 2020.
To be effectively knowledgeable about the CCPA outside of this quick primer and similar write-ups across the web, I highly recommend directly accessing the source material from the official CCPA authorities noted above.