If you’re familiar with the world of cybersecurity and privacy, you’ve likely heard of the California Consumer Privacy Act (CCPA), a comprehensive consumer protection law intended to enhance privacy rights and consumer protection for residents in the state. This groundbreaking privacy law has set a new world of cybersecurity compliance into motion and shows no signs of slowing down.
2020 is here and companies that fall under CCPA requirements need to take immediate actionable steps now. While many companies are aware that they are subject to the law, 85 percent say they have only partially implemented policies to comply or have done nothing to prepare, according to a recent poll conducted by cybersecurity management software provider, Apptega. Non-compliant businesses will not only face hefty fees but potentially adverse impacts to their brand, a loss of customers and negative PR. What’s even more concerning is many companies don't know what data they even have on individuals or what they are doing with it.
Who Does CCPA Impact?
CCPA has far-reaching impacts on many businesses and business activities. Many of the impacted parties were not formerly subject to US privacy rules and regulations. Contrary to what the name might suggest, the law is not limited to companies with a physical operation in California. Instead, it applies to any for-profit entity that meets the following criteria:
- Has a gross annual revenue of $25 million or more.
- Annually purchases or receives for commercial purposes, or sells or shares for commercial purposes, personal information for 50,000 or more consumers, households, or devices in the state of California.
- Or generates 50 percent or more of their annual gross revenue from selling personal information.
Impact to Companies that Handle Data
CCPA poses additional personal information concerns for companies that handle data. These include:
- CCPA requires companies with joint partnerships or who are sharing emails with third parties to comply with the same regulations
- CCPA-mandated companies have to allow users to opt-out and must offer several notification methods
- CCPA-mandated companies cannot discriminate against users who choose to opt-out of the sale of information
Understanding Recent Amendments to CCPA
CCPA’s requirements are constantly being amended and changed. Following are a few recent amendments.
- AB 25 exempts employee data and beneficiary and emergency contact data from CCPA’s scope until January 21, 2021. Companies must still provide a privacy notice to employees, as well as the direct right of action in case of breach.
- Amendment AB 874 spells out the definition of personal information by clarifying that personal information does not include de-identified or aggregated consumer information.
- Amendment AB1564 permits a business that operates exclusively offline and has a direct relationship with a consumer from whom it collects personal information to only provide an email address for submitting requests to exercise various CCPA rights. Also, a FCRA expansion clarifies that as long as you’re meeting the requirements for FCRA, it is exempt from CCPA.
- Amendment AB1146 exempts vehicle information shared between a new auto dealer and a vehicle manufacturer when information is shared or retained pursuant to, or in anticipation of, a vehicle repair relating to warranty work or recall.
- Amendment AB1355 adds an exclusion of de-identified and aggregate information from the definition of personal information with other clean-up changes. This amendment includes a B2B exception until January 21, 2021 for information collected in the context of the business of conduction due diligence regarding a company, nonprofit, or government agency, or the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency. Also, as part of the new amendments, new requirement AB 1202 defines and requires data brokers to register as a data broker and provide certain information to the attorney general.
Tips to Comply to CCPA
CCPA specifies non-compliant companies could have fines of up to $750 per individual consumer in civil court and fines up to $7,500 per incident by the attorney general. And for data breach cases identified as negligent, fines of $100 to $750 per infraction per record can be enacted. For example, an organization breached under CCPA with 50,000 exposed individual records could garner a fine of over $30 million dollars. Following are tips to help
impacted businesses comply.
1. Understand Whether CCPA Applies to Your Business
If your business meets the criteria, you’ll have to implement CCPA regulations. If your company does not meet any one of the three thresholds, your business won’t be affected by the law and is not legally required to adhere to these requirements. Despite this, make sure you’re keeping up with digital consumer privacy laws, as they change frequently state-by-state, and your business may be required to abide by them at some point.
2. Understand Platforms as They Relate to Your Web Properties
According to the CCPA law, the owner and operator of a website that allows the collection or sharing of data is responsible for the security of all personal information collected, sold, or shared on the site, including the actions of third-party platforms loading in through other third parties. With this in mind, be sure to audit your web applications regularly. You should understand how they are being loaded and what they do with data. This makes it easier to comply with CCPA guidelines.
3. Develop a Plan to Respond to Data Subject Requests
As consumer privacy concerns become more rampant in the digital world, it’s critical for you to begin building out your data subject access request plan. This is especially important, given that CCPA requires a 12-month recall period. While there are many different ways to respond to this, the most important thing is to focus on something that allows for both consumer privacy and compliance of your business.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.