The California Consumer Privacy Act of 2018 (CCPA) is a privacy law that gives consumers and employees in California legal rights over how their data is collected, stored, sold, and shared. This law is a significant milestone in the country's data privacy and consumer protection landscapes, directly affecting consumers residing in California.
CCPA requires organizations to respect California residents' legal rights to manage their data—granting them increased control over their personal information.
Under the CCPA, consumers have the right to know about the personal data collected on them, the purpose for which it is used, and with whom it is shared.
Californians also have the right to request the deletion of their data, to opt out of the sale of their personal information, and to receive equal service and price from businesses—even if they exercise their privacy rights.
The CCPA was enacted on January 1, 2020, and has since been updated by the California Privacy Rights Act (CPRA). The CPRA amendment and expansion, enacted in January 2023, added new provisions, a dedicated enforcement agency, and a new data category of "sensitive personal information."
Non-compliance with the CCPA
When organizations are found non-compliant with the CCPA, they can face hefty fines, penalties, and reputational damage.
Under the CPRA, the California Privacy Protection Agency (previously the California attorney general under the CCPA) can fine any company that violates the CCPA $2500 for per violation, i.e., for every person's data impacted. This increases to $7,500 for each data security incident involving minors’ personal information (PI) or intentional violations.
CCPA non-compliance also creates legal risks.
Under the CCPA, consumers have a private right of action when there’s disclosure or theft of unencrypted or non-redacted personal information. Although relatively limited, this still means that individuals can sue a business that allows their data to be exposed during a data breach. It should be noted that the private right of action applies specifically to breaches of certain types of unencrypted and unredacted personal information due to a business's failure to maintain reasonable security measures.
What Constitutes Personal Information
Personal information is defined by CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The categories of personal information include:
- Identifiers like name, unique personal identifier, online identifier, IP address, social security number, driver’s license number, passport number, etc.
- Customer records information like address, telephone number, insurance policy number, employment history, and bank account number
- Characteristics of protected classifications under California or federal law
- Commercial information
- Biometric information like hair color, fingerprints, retina scans
- Internet or other electronic network activity information like browsing history and search history
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences
Given the law's broad definition of personal information and the extensive rights it grants consumers, businesses must undertake a comprehensive approach to data management.
They must ensure they have the processes and systems to respond to consumer requests, secure personal information, and maintain detailed records of data processing activities.
Determining Your CCPA Compliance Obligations
Compliance with the CCPA is crucial for organizations anywhere in the world that satisfy the following—not just those based in California or the United States:
- Have workers located in California
- Provide goods or services to people located in California or residents in California
- Interact with third parties that provide data about California residents
- Any for-profit entity that has:
- Made more than $25 million in annual gross revenue in the last calendar yearsome text
- Received 50% or more of annual revenue from the sale of consumers' personal information
- Shared, sold, or bought the personal information of 100,000 households, consumers, or devices for commercial purposes
According to the State of California, “CCPA generally does not apply to non-profit organizations or government agencies.”
CCPA compliance is a global challenge because the law applies to for-profit businesses regardless of location so long as they sell their offerings to Californians.
Navigating CCPA Requirements: What You Need to Know
Let's break down the main requirements of the CCPA, in terms of consumer rights provisions, data protection measures, and notification obligations.
Consumer Rights Provisions
Under the CCPA, California residents are afforded several key rights regarding their personal information (PI), which businesses must honor:
- Right to know: Businesses must disclose the personal information they collect, the purposes for which the personal information is used, and whether it is used for the sale of personal information or being shared, upon a consumer's request. They also have the right to receive a copy of all the personal information collected about them in a format that can be sent elsewhere.
- Right to delete: Consumers can submit requests to businesses for their personal information to be deleted.
- Right to opt-out: Consumers have the right to opt-out of the sale or sharing of their personal information by businesses. For minors under 16, affirmative consent is required to sell their personal information. They also have the right to avoid data collection unless it is for a specified purpose, i.e., data that is not "reasonably necessary and proportionate."
- Right to non-discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights by denying goods or services or charging different prices.
As of January 1, 2023, consumers have new rights in addition to those above, such as:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
Data Protection Measures
Businesses need to implement safeguards to secure and protect data from data breaches. The CCPA defines this obligation as implementing "reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure."
For businesses unsure where to start, the NIST Cybersecurity Framework “offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”
Notification Obligations
Businesses subject to the CCPA have several notification obligations or privacy notices, including:
- Notice at collection: At or before the point of collecting personal information, businesses must provide consumers with a notice that explains the categories of personal information to be collected and the purposes for which it will be used.
- Privacy policy updates: Businesses must update their privacy policies at least once every 12 months, detailing the information required under the CCPA, such as a description of consumers' rights and the categories of personal information collected.
- Opt-out notices: Businesses that sell personal information must provide clear and conspicuous notice informing consumers of their right to opt out of the sale of their personal information.
Overcoming Common CCPA Compliance Challenges
Let's explore some typical challenges organizations face in achieving CCPA compliance, especially around data inventory management, third-party data sharing, and maintaining data security standards.
Data Inventory Management
Many organizations have a complex and large-scale data ecosystem. As such, they struggle to develop a comprehensive inventory of all the data in their system—not to mention that they can be scattered across different departments, systems, and storage solutions.
Organizations can implement data mapping tools and practices that identify and classify personal information to overcome this challenge, coupled with compliance checklists, regular audits and updates to the data inventory.
Third-Party Data Sharing
The CCPA requires organizations to manage the personal information they share with third parties carefully, ensuring those third parties comply with the CCPA's provisions. However, when an organization deals with numerous third parties, each with its unique data handling and security practices, this becomes extra challenging.
Organizations should conduct due diligence on their third parties to ensure they have adequate privacy and security measures. Contracts and agreements with third parties should explicitly outline CCPA compliance requirements.
Regular audits or assessments must also monitor third-party compliance, along with identifying the categories of third parties to determine the data shared from a disclosure perspective.
Maintaining Data Security Standards
CCPA mandates that businesses implement reasonable security measures to protect the personal information they collect. However, cyber threats and how they constantly evolve make CCPA compliance an ongoing challenge.
Organizations can meet this challenge by implementing a comprehensive cybersecurity program that includes regular risk assessments, employee training programs, incident response plans, and deploying advanced security technologies.
Strategic Approaches to CCPA Compliance
To meet the CCPA (California Consumer Privacy Act) requirements effectively, organizations must adopt strategic approaches that focus on data discovery, classification, and governance practices.
Comprehensive Data Discovery
Understand the personal information you collect, store, and process through a thorough data discovery process.
Leveraging data security platforms like Cyera can significantly streamline and accelerate the data discovery process to tell you where your data (both structured and unstructured) is stored and who has access to it. These tools uncover hidden data you may have yet to be aware of while identifying risks in real time.
Data Classification
Classify the data based on its sensitivity level and relevance to CCPA regulations. Data classification revolutionizes data management by helping organizations understand the value and risk associated with their data. Specific platforms like Cyera have AI-powered classification that accurately classifies your data without manual tuning.
Implementing Robust Data Governance Frameworks
Data governance frameworks play a critical role in CCPA compliance as they help organize, secure, and standardize data across the organization. They establish clear policies and procedures for data management, including how data is collected, stored, used, and shared.
Effective data governance ensures that all data handling practices align with CCPA regulations and other relevant laws, thus mitigating the risk of non-compliance.
Leveraging Data Security Platforms for CCPA Readiness
To become CCPA compliant, organizations can leverage data security platforms that offer comprehensive solutions for automated data discovery, risk assessment, and data protection.
Inventorying Personal Information
Understanding the scope and nature of personal information (PI) an organization collects, processes, and stores is one of the core foundations of CCPA.
Data security platforms facilitate this by automating the data discovery process. They scan the organization's data repositories across various environments – IaaS/PaaS/SaaS and on-prem – to identify and categorize personal and sensitive personal information relevant to CCPA. This automation saves significant time and resources, increases data visibility, and minimizes the risk of human error or negligence.
Risk Assessment
Data security platforms offer automated risk assessment capabilities that evaluate the potential vulnerabilities and threats to personal information's confidentiality, integrity, and availability. These assessments are crucial for identifying and prioritizing high-risk areas requiring immediate attention and recommending security measures to mitigate identified risks.
Data Protection
Data security platforms provide a range of data protection capabilities designed to safeguard personal information against unauthorized access and cyber threats, providing insight into critical security measures, such as encryption, access controls, data masking, data hashing, and many other key functionalities that help secure sensitive data.
Cyera: Simplifying CCPA Compliance for Organizations
If you’re a business covered by the CCPA, consumers have the right to expect that you:
- Know where their personal information is
- Apply appropriate security controls to personal information
- Respond to consumer privacy rights (e.g., request to know or delete)
Cyera helps you to answer these questions for all your data automatically and at scale. Cyera helps businesses meet CCPA requirements by:
- Inventorying all personal information in line with CCPA definitions
- Efficiently classifying personal information and sensitive personal information
- Instantly flagging and alerting about potential privacy compliance risks
Cyera’s data security platform provides deep context on your data, enabling you to apply correct controls to demonstrate privacy compliance.
Ensuring Long-Term Compliance with CCPA
Continuous data practices and regulatory landscape monitoring should be on top of any organization's priorities to ensure long-term compliance and swiftly adapt to any changes or updates.
Leveraging data security platforms like Cyera to enable effective data management, conduct regular audits and assessments, and enforce strict governance policies is crucial for maintaining transparency and accountability.
When this is supported by ongoing employee training on CCPA requirements and data privacy best practices, organizations are empowered to foster a culture of privacy awareness and compliance.
Secure Your CCPA Compliance Journey with Cyera
CCPA compliance is not just a regulatory requirement but a critical component of an organization's commitment to respecting and safeguarding consumer data.
Cyera’s data security platform offers a path to meeting the rigorous requirements of CCPA, ensuring your organization can manage and protect personal information effectively and with confidence.
For those looking to streamline their CCPA compliance and enhance their data security posture, discover how Cyera can fortify your data privacy efforts and empower you to achieve CCPA compliance.
Schedule a demo today.
