The California Consumer Privacy Act (AB-375, or CCPA for short) is one of the toughest U.S. regulations targeting Silicon Valley firms. Many predict the CCPA could have a bigger impact on companies than the EU’s General Data Protection Regulation that went into effect in May 2018.
Before we share the 6 steps companies must take to become CCPA compliant, here’s a deep dive into what this privacy law is all about it.
Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses making headlines for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information while enabling Californians to readily request, delete, or protect their personal information (PI) collected and governed by a business.
“Primarily and fundamentally, the CCPA is a transparency vehicle,” says Dominique Shelton Leipzig, partner, and co-chair ad tech privacy & data management at Perkins Coie. “It’s all about letting consumers know what data is being collected by the company, when it’s being sold and shared for a business purpose, and any third-party data is shared with or any sources of personal data has been used.
California’s Attorney General Xavier Becerra, who many say will become the chief privacy officer of the United States, will play an important role monitoring Silicon Valley’s privacy practices and cracking down on those that don’t implement and maintain sound security practices that safeguard consumer data. Here’s everything you need to know to get up to speed.
Unlike GDPR (which applies to any organization that obtains personal information on any EU citizen), organizations that simply conduct business with California residents and satisfy one of three thresholds must be CCPA-compliant:
Has an annual gross revenue in excess of $25 million
Buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
Derives 50 percent or more of its annual revenue from selling
If a company meets one of the criteria above, then it will need to inform consumers of the type of personal information collected and the purpose at the point of data collection. Read the full description in Section 1798.140.
The CCPA grants consumers the right to request a business to disclose any of the following:
All data collected about the consumer
The categories of sources from which that information is collected
The business purpose for collecting or selling that information
Third parties with which the information is shared
In this case, business purpose is defined as:
Auditing or verification related to transactions
Detecting security incidents, fraud prevention or illegal activity
Debugging to identify and repair errors
Short-term transient use
Performing services on behalf of the business or service provider
The California law requires companies to include a form (Section 1798.135) on their websites, asking consumers to opt-in or out of data sharing. Otherwise, consumers can take legal action if they’re unable to find out how their information has been collected or get copies of that information.
Consumers also have the following rights:
Right to deletion
Right to opt-out of the sale of their data for any reason
Right not to be subject to discrimination for the exercise of rights
Right to data portability
Compared to GDPR, the CCPA takes a broader approach to what constitutes sensitive data by expanding its definition to include households. The new privacy law defines PI as information that “identifies, relates to, describes is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or house.” See the full description in Section 1798.140.
This means now under CCPA, even data that does not contain the name but may otherwise identify or relate to a particular individual or household must be analyzed to see if the CCPA protections apply. Whereas in the past, companies knew data that did not include the name of the consumer would not trigger a data breach notification in California if accessed or used inappropriately.
The act does not restrict businesses to collect, use, retain, sell or disclose consumer information that is de-identified. The CCPA defines de-identified data as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”
Effective January 1, 2020, organizations have 45 days to respond to any verified consumer request under the CCPA. In the event that a business fails to address a violation within 30 days of notification, the California general attorney may impose a maximum penalty of up to $7,500 for each violation. If there is an unauthorized infiltration of data, consumers can assert a private right of action to recover damages up to $750 per violation.
In contrast, GDPR has a tiered approach to fines with the EU law on data protection and privacy. Depending on the violation occurred, the penalty may be either: 4 percent of the global annual turnover from the prior year or $20 million, whichever is greater, or 2 percent of global annual turnover or $10 million, which is greater.
Companies not in compliance are also subject to greater liability from a litigation perspective.
“California is a highly litigious state,” Shelton adds. “We have a hotbed of privacy litigations, especially around areas of behavioral tracking, which is very much one of the major impetus behind the CCPA. If you look into the initial proposition, Alastair Mactaggart and others were very concerned about the tracking and the profiles that were being developed around California consumers.”
If an enterprise has put together a global GDPR program, the company should be in good shape to begin the extra steps that are required for the CCPA, Shelton explains. Inspired by the GDPR, businesses can take this construct of these six phases and apply it to CCPA compliance.
Designate an individual or team to be in charge of data privacy and security. This person can be either a chief privacy officer, data privacy officer, or chief data officer.
Perform a data inventory, so you have an auditable record of your data flows across your enterprise, like a data roadmap. For companies that did this exercise for EU resident data should be in a good position to know where their California data is. Even if they didn’t do a global program, their inventory may give some sense of where that data might be.
Do a risk assessment of the data flows that have been identified in the inventory and measure your data practices against legal metrics. Many organizations are not aware of what data they own, the scope of that data or where it’s located. If you have good insight and understanding of your data, it’ll be much easier to get a sense of what the impact is in the context of CCPA.
Conduct high-risk processing for information pertaining to financial, healthcare, or children’s records. Tools, like Delphix, can help businesses pinpoint things like names, email addresses, SSNs, IP addresses and provide an enterprise-wide view of exposure to CCPA. The platform can quickly deliver data copies for dev/test, analytics, reporting, support and other use cases and then serve as a single point of control for governing those copies. It then gives businesses greater authority to define controls that determine who has access to what data, where and when, allowing companies to easily create and enforce data governance policies around CCPA compliance.
Mitigate the risk(s) identified in Phase 3 and 4 through governance, technical controls, policies, and procedures as well as vendor management. For non-production environments (i.e., dev, test, and reporting) that contain as much as 90 percent of the data that's in scope for the CCPA, masking sensitive information will bring those environments compliant with respect to the regulation.
By irreversibly masking personally identifiable information, this data becomes de-identified and is no longer considered personal information under CCPA or GDPR.
Also make sure vendors protect their data and follow the CCPA requirements. There is certain verbiage that needs to be in your vendor contract to shift liability to them for their failure to comply with the CCPA. Lastly, train everyone in your company who collects personal information.
Keep an auditable record of your privacy program. This means keeping track of everything from Phases 1 to 5. You can use this in the future to benchmark for the upcoming year or apply this to new lines of business that will help you easily update the phases that are necessary.
Data privacy will be the major defining characteristic between winners and losers across industries, especially as regulations continue to become forcing functions that demand and require companies to take better control of consumer data.
Delphix is an API-first data platform that performs end-to-end data masking and secures sensitive information before it’s ever shared across an organization or accessed by outsiders. The platform automatically detects confidential information, irreversibly masks data values, then generates reports and alerts to ensure that all sensitive data has been masked.
Delphix also masks consistently across heterogeneous data sources, so data is masked the same way across different tables and databases. Seven out-of-the-box algorithms are available to mask everything from names and social security numbers to images and text fields, and additional algorithms can be configured or customized to match specific security policies.
Data privacy and security will be the primary focus on every organization’s agenda in 2020 and beyond, so it’s critical to act now as regulators aggressively prepare to crack down on the largest and most comprehensive privacy and data security law in the country.
_Protecting your data is equivalent to protecting your customers. Learn how Delphix can help you d_e-identify sensitive data and achieve CCPA compliance to get the specifics on what type of data is protected under the CCPA.