The CCPA (California Consumer Privacy Act) came into effect on January 1, 2020, changing the data privacy landscape in the U.S.
In this blog, we take a look at everything you need to achieve CCPA compliance.
What is the CCPA?
The CCPA had two aims: to strengthen California residents’ rights regarding the way their data is processed, and to ensure that organisations do a better job to prevent privacy violations.
Its rules don’t replace existing California data protection law, such as CalOPPA (California Online Privacy Protection Act). As such, organisations within its scope will have to balance multiple requirements.
Who needs to comply with the CCPA?
The CCPA applies to organizations that do business in California (regardless of where they are based) and:
- Have a gross annual turnover of $25 million or more
- Buy, receive, sell, or share the personal data of 50,000 or more consumers, or
- Derive 50% or more of their annual revenue from selling consumers’ data.
As such, non-profits and many smaller organisations are exempt from the rules.
What types of information does the CCPA cover?
The CCPA covers consumers’ personal information – although it’s worth noting that its definition of that term may differ from what you’re used to.
Under the CCPA, it covers any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
This includes things you would typically expect, such as names, postal and email addresses, and unique personal identifiers, but it also covers a broad range of other data.
For example, biometric data, Internet or other electronic network activity information, geolocation data, psychometric information, and professional or employment-related data are all within the scope of the CCPA.
What are the penalties for violating the CCPA?
Organizations that fail to comply with the CCPA’s requirements are subject to civil penalties of up to $7,500 and a civil suit that gives every affected consumer the right to seek between $100 and $750 in damages per incident, or actual damages if higher.
What are the CCPA compliance requirements?
The CCPA’s requirements can be broken down into those related to consumers’ rights and those related to the protection of their personal information.
Let’s first take a look at the four consumer rights enshrined in the CCPA.
1. The right to be informed
At or before the point of collection, organizations must tell consumers the categories of personal information that are being collected and the purposes that it will be used for.
Organizations that sell consumers’ personal information must also inform consumers of the categories of personal information that have been sold and the categories of third parties to whom they sold it, as well as the categories of personal information that have been disclosed for a business purpose and the purpose for which it was sold.
Consumers are also entitled to request further information, in which case organizations have 45 days to explain:
- The categories of personal information they have collected
- The categories of sources from which they collected the personal information
- The business or commercial purpose for which they collected the personal information
- The categories of third parties with whom the personal information has been shared.
2. The right to access/data portability
When consumers request access to their personal information, organizations must provide copies free of charge without delay.
They are not required to provide this information more than twice in a 12-month period.
3. The right to deletion
Consumers can request that an organization deletes any personal information relating to them. Organizations can only reject this request if the information is necessary to:
- Complete a transaction, provide goods or services, or otherwise perform a contract between the business and the consumer
- Detect security incidents or protect against malicious activity
- Debug to identify and repair errors
- Ensure the exercise of free speech or another right provided by law
- Comply with the CalECPA (California Electronic Communications Privacy Act)
- Engage in scientific, historical, or statistical research – subject to consumer consent
- Enable “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”
- Comply with a legal obligation
Organizations can also reject the request if the data is being used internally “in a lawful manner that is compatible with the context in which the consumer provided the information.”
4. The right to opt out
Consumers may instruct organizations not to sell their personal information to third parties.
To achieve this, organizations must post a “clear and conspicuous link on their Internet homepage titled ‘Do Not Sell My Personal Information’”.
This must direct consumers to a privacy notice that gives them the option to opt out of the personal information sharing practices.
How to protect consumers’ privacy
The first step towards compliance is to work out whether you collect or could collect information from anyone in California.
Remember, if you have a website that collects personal information and which a California resident may use, you are within scope and must act accordingly.
You must then create a data flow map to monitor when and where you collect personal information.
Doing this will help you determine how extensively the rules apply to your organisation and whether you need to create and implement systems to help you achieve compliance.
You must also implement and maintain controls to prevent the information from being misused. You shouldn’t be looking at just the threat of cyber attacks and data breaches, but also circumstances in which the data is improperly or inadvertently disclosed by an employee.
There are many ways to protect your organization, but one of the most effective is to implement an ISMS (information security management system) as defined in ISO 27001.
The Standard applies cybersecurity controls based on risk assessment, so your ISMS is built from the ground up to secure your organization against the unique threats you face.
An ISMS takes into account the three pillars of effective cybersecurity – people, processes, and technology – ensuring that your internal defenses are just as effective as your external ones.
For implement these requirements, staff must be taught about their compliance obligations and shown how to respond appropriately.
With our California Consumer Privacy Act (CCPA) Foundation Online Training Course, you will gain a comprehensive understanding of your requirements and educate your team on the steps they must take.
It covers everything that employees need to know, including:
- The terms used in the CCPA and how they differ from the GDPR
- Consumer rights and how to meet them
- The measures you must implement to achieve CCPA compliance
- The CCPA’s privacy requirements and they compare to other jurisdictions
- What happens when you suffer a data breach or privacy violation
The course is led by a data privacy expert and delivered remotely, enabling you to receive the expertise that you’d find in a classroom course from the comfort and safety of your own home or office.
