December 23, 2019
California Consumer Privacy Act
What Companies & Consumers Need to Know
Recent major breaches have proven how vulnerable our personal data is and why handling personal data responsibly is vital. These breaches have prompted the citizens of California to demand action. Inspired by Europe’s General Data Protection Regulation (GDPR), the State of California has set a new precedent with the passage of the California Consumer Privacy Act (CCPA). Effective January 1, 2020, CCPA will affect large business entities and consumers alike regarding how personal information is controlled and distributed. Before CCPA goes into effect, consumers need to know their rights defined in CCPA and the ultimate goals of the act. It is also essential for companies to understand what impact CCPA might have on their day-to-day operations.
What Consumers Need to Know
In preparation for CCPA, California consumers are encouraged to know and understand their own rights, among them, being:
1) The right to know;
2) The right to opt-out;
3) The right to delete;
4) The right to equal service.
It is every consumer’s right to know what aspects of their personal information have been gathered and stored, where it was collected, how it will be used, and to whom it will be disclosed. A consumer may request an applicable business to disclose any information that was collected about them in the last 12 months and can also opt-out of allowing a company to sell their personal information to third parties. California consumers also have the right to demand that a business entity delete their personal information (unless it is being used for contractual purposes) and have the right not to be discriminated against based on their refusal to provide their personal information for use. In other words, consumers who choose not to share personal information shall not be denied the standard quality of goods and services or be charged differently as a result.
CCPA vs. GDPR: What’s the Difference?
Since they share the overarching theme of stringent data privacy, CCPA has already been compared to the GDPR, which was designed in 2016 to protect the personal information of the citizens of the European Union (EU). While the two are similar in that they both require swift responses to consumer requests and enforce heavy fines against non-compliant businesses, there are significant differences between the two.
The biggest difference between CCPA and the GDPR is the opt-out right that consumers have from the selling of their personal data. CCPA requires all relevant businesses to include a “Do Not Sell My Personal Information” link on the homepage of their websites, whereas, under the GDPR, there is no such regulation.
In addition, the GDPR provides consumer rights that are not extended under CCPA, such as the ability for consumers to correct any inaccurate personal information. EU citizens also have the right to exclude their personal data from research or marketing efforts, which is not comparable to any clause in CCPA.
Another difference between the two acts is CCPA’s more varied approach to protecting the personal information of minors. For personal information of any child aged 13 or younger to be sold, a parent or guardian must first give their consent. However, between the ages of 13 and 16, the child can provide their consent for their personal information to be used. By comparison, under the GDPR, the default age of consent is 16 years, and all younger individuals must obtain parental consent for the processing of their personal information.
Finally, the GDPR is a bit more extensive in terms of its scope than CCPA, covering all EU data controllers (including those that are not physically in the EU but processes the information of its citizens). CCPA only applies to businesses that meet specific criteria outlined below.
How Does CCPA Affect Corporations?
There is some confusion over compliance, with the popular assumption being that all businesses will need to comply. The reality could not be more different. According to section 1798.140(1), businesses that collect and control California residents’ data, and conduct for-profit business in the state of California and which meet at least one of the following thresholds must comply:
1) Have an annual gross revenue of over $25 million;
2) Possess the personal information of 50,00 or more consumers, households, or devices; or
3) Earn more than half of its annual revenue from the selling of personal information.
The act is intended to give the general California population more control over their privacy and how their information is used. In this case, personal information includes identifiers and document information such as name, mailing address, email address, phone number, driver’s license number, and social security number, to name a few. Essentially, any information that pertains to an individual or household qualifies under CCPA – including information like IP address and browsing/search history, which are not government official but still act as identifiers.
CCPA will be enforced by the California Attorney General. The civil penalty for each violation of CCPA is $7500; however, this includes a 30-day cure period. Consumers also have the explicit right to action under CCPA. This means that consumers, individually or as a class, may seek actual damages if their personal data has been compromised, exposed, stolen, or disclosed due to poor security practices by companies.
How Can a Company Prepare for CCPA?
To prepare for CCPA implementation and enforcement, affected companies should first answer key data mapping questions.
- What personal information does the organization collect and possess?
- How is the personal information collected?
- Where and how is the personal information stored?
- To what entities does the organization transfer personal information?
- What is the nature of the transfer (e.g. sale, service, sharing with third parties, etc.)
Mapping data accurately and efficiently can be challenging but answering these questions would provide a good starting point for businesses looking to promote organizational hygiene.
A business should determine whether any of this data is at risk by checking access permissions. Stale personal data should be properly disposed of, as it will be an added (unnecessary) risk. After all stored data has been analyzed, permissions should be adjusted where necessary (i.e. via role-based access controls), personal data should be archived or deleted, and proper programming should be used to monitor all personal data against threats. To maintain high levels of security, it’s recommended that all stored personal data and permissions are reviewed regularly, cyber threats are detected, and protocols are adjusted as needed, and relevant data is kept organized.
What Comes Next
Developing the Right Privacy Framework for your Organization: A roadmap to forming and executing your strategy
Presented by: Christina Whiting Principal | Privacy, Enterprise Risk & Compliance, Obrian Goriel Information Security & Privacy Consultant and Adorial Bethishou Privacy Analyst
Join this webinar to learn best practices and recommendations for designing a comprehensive privacy approach that considers local and international legislation, anticipates the next regulations on the horizon, while simultaneously helping create a culture of privacy in your enterprise. Learn what to take into account when choosing your privacy framework and how it can influence your strategy, execution and organizational culture shift.
About the Author
Anir Desai is an Information Security Analyst at Tevora.