Understand the California Consumer Privacy Act in 10 Minutes
The California Consumer Privacy Act of 2018 (AB-375, or CCPA for short) is one of the toughest U.S. regulations targeting Silicon Valley firms that could have bigger impact on companies than the EU’s GDPR that went into effect last May.
Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses making headlines in the past year, including the Cambridge Analytica data scandal, for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information (PI) while enabling Californians to readily request, delete or protect their personal information collected and governed by a business.
Furthermore, California’s attorney general, who many say will become "the chief privacy officer of the United States,” will play an important role monitoring Silicon Valley’s privacy practices and cracking down on those that don’t implement and maintain sound security practices that safeguard consumer data.
Here’s everything you need to know to get up to speed.
Who must comply?
Unlike GDPR (which applies to any organization that obtains personal information on any EU citizen), organizations that simply conduct business with California residents and satisfy one of three thresholds must be CCPA-compliant:
- Has an annual gross revenue in excess of $25 million
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenue from selling
If your company meets the criteria above, then you’ll need to inform consumers the type of personal information collected and the purpose at the point of data collection. Read the full description in Section 1798.140.
In short, the privacy law defines business purpose as the following:
- Auditing or verification related to transactions
- Detecting security incidents, fraud prevention or illegal activity
- Debugging to identify and repair errors
- Short-term transient use
- Performing services on behalf of the business or service provider
What are the key rights and provisions?
Starting January 1, 2020, the CCPA grants consumers the right to request a business to disclose:
- All data collected about the consumer
- The categories of sources from which that information is collected
- The business purpose for collecting or selling that information
- Third parties with which the information is shared
Consumers can also:
- Request to delete their personal information
- Opt-out of the sale of personal information by a business. Additionally, the CCPA also prohibits businesses from selling children’s information under the age of 16.
- Sue, in some cases, if their data isn’t properly protected
The California law also requires companies to include a form (Section 1798.135) on their websites, asking consumers to opt-in or out of data sharing. Otherwise, consumers can take legal action if they’re unable to find out how their information has been collected or get copies of that information.
Compared to GDPR, the CCPA takes a broader approach to what constitutes as sensitive data by expanding its definition to include households. The new privacy law defines PI as information that “identifies, relates to, describes is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or house.” See the full description in Section 1798.140.
This means now under CCPA, even data that does not contain the name but may otherwise identify or relate to a particular individual or household must be analyzed to see if the CCPA protections apply. Whereas in the past, companies knew data that did not include the name of the consumer would not trigger a data breach notification in California if accessed or used inappropriately.
The act does not restrict businesses to collect, use, retain, sell or disclose consumer information that is de-identified. For reference, the CCPA defines de-identified data as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”
When does the act go into effect and why does it matter?
Once the law takes effect in 2020, organizations have 45 days to respond to any verified consumer request. In the event that a business fails to address a violation within 30 days of notification, the general attorney may impose a maximum penalty of up to $7,500 for each violation. If a data breach occurs, the consumer may pursue legal action to recover damages of up to $750 per incident or actual damages, whichever is greater. On the contrary, GDPR has a tiered approach to fines with the EU law on data protection and privacy.
Even though this law technically applies only to California residents, it will most likely have much broader implications as more data privacy laws continue to develop globally.
Now, here are specific ways to help your enterprise with the first step of becoming CCPA-compliant.
Know your data for CCPA compliance.
The first step is to know your data. Many organizations are not aware of what data they own, the scope of that data or where it’s located. If you have good insight and understanding of your data, it’ll be much easier to get a sense of what the impact is in the context of CCPA.
Tools, like Delphix, can help businesses pinpoint things like names, email addresses, SSNs, IP addresses and provide an enterprise-wide view of exposure to CCPA.
Take control of your data.
Data is the fuel that powers today’s businesses. But efficiently governing this data is becoming harder and harder as it grows and proliferates across cloud and on-prem environments.
One approach to make data governance work for your business is to implement technology that will help you manage copies of data floating around and provide visibility into who’s using the data for what.
Technology, like the Delphix Dynamic Data Platform, quickly delivers data copies for dev/test, analytics, reporting, support and other use cases and then serves as a single point of control for governing those copies. It gives businesses greater authority to define controls that determine who has access to what data, where and when, allowing companies to easily create and enforce data governance policies around CCPA compliance.
Secure your data.
There is more data in places than ever before, and data privacy and security cannot be an afterthought. For non-production environments (i.e., dev, test, and reporting) that contain as much as 90 percent of the data that's in scope for the CCPA, masking sensitive information will bring those environments compliant with respect to the regulation.
Start planning now for CCPA compliance. Learn how the Delphix Dynamic Data Platform can help you achieve CCPA compliance with an enterprise-wide approach to data virtualization and data masking capabilities that can help deliver your data securely and rapidly.