What is the CCPA and What’s Needed for Compliance?
You've heard of the CCPA but what are the costs of noncompliance? We answer those questions and look at how organizations can use a DLP solution to help facilitate CCPA compliance in this blog.
The California Consumer Privacy Act (CCPA) is a law that gives consumers in California rights regarding the personal information that companies have collected about them. In some ways, the law is similar to the EU’s General Data Protection Regulation (GDPR) data privacy standards. Achieving compliance requires organizations to identify and protect data elements that are subject to the CCPA.
In this article we’ll review:
The CCPA and by extension, the California Privacy Rights Act (CPRA) - an amendment to the CCPA - is designed to give California residents control over the personal information that businesses collect about them. The law was introduced in 2018 with enforcement beginning on July 1, 2020. The CCPA provides rights to California consumers that include:
- The right to know what personal information a business collects about them and how it is used and shared
- The right to delete personal information collected about them
- The right to opt out of their personal information being sold or shared
- The right to not be discriminated against for exercising CCPA rights
The CCPA was amended in November 2020. The amendments gave residents additional privacy protections and rights regarding their personal data. These rights, which went into effect as of January 1, 2023, include:
- The right to correct inaccurate information collected by a business
- The right to limit the use and disclosure of sensitive personal information collected about them
The CCPA affects residents of California and organizations that collect and process their personal data. The protections defined in the CCPA also apply to California residents when they are traveling out of state.
The CCPA applies to for-profit businesses that meet at least one of the following criteria:
- Companies that have gross revenue of more than $25 million
- Companies that buy, sell, or share personal information for over 100,000 California residents
- Organizations that make more than 50% of their annual revenue from selling the personal information of California residents
Organizations need to assess what data protection laws apply to them and comply with seemingly moving regulation targets. Additionally, they need to take specific steps to comply with the existing General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA),… pic.twitter.com/7QkaE1XJph
— Joshua Weber, PMP (@jcoltweber) August 1, 2023
Photo by Vlada Karpovich via Pexels
The CCPA defines two categories of data that are protected by the regulations.
Personal information is data that identifies, relates to, or can be linked with an individual or their household. Examples of personal information include:
- Social Security number
- Email address
- Geolocation data
Sensitive personal information is a subset of personal information that includes:
- Government identifiers such as Social Security numbers
- Financial information that enables access to an account
- Contents of emails or text messages
- Genetic data
- Data relating to a consumer’s health, sex life, or sexual orientation
- Data about ethnic or racial origin
- Data concerning an individual’s religious or philosophical beliefs
Companies doing business with California residents should take the following steps to comply with CCPA.
- All consumer data should be inventoried and mapped to identify information subject to CCPA protection.
- Businesses need to implement the necessary technical and administrative processes to secure consumer information.
- Develop a notice of collection that is provided to all consumers before or at the time data is collected.
- Implement a process to receive and address consumers’ requests regarding the personal information collected about them. Procedures need to be in place to verify the identity of individuals making the requests.
- Enforce data minimization practices to ensure that data no longer needed is purged from an organization’s systems.
- Provide training for all employees involved in handling data that is subject to CCPA standards.
The California Office of the Attorney General (OAG) enforces the CCPA. When an organization is notified of an alleged noncompliance issue, they have 30 days in which to rectify the problem. The violators may need to take curative action to address the noncompliance as well as modify procedures to ensure future compliance.
The OAG can seek civil penalties of up to $2,500 per accidental violation and $7,500 for deliberate violations if the issues are not successfully addressed within the 30-day timeframe.
There have been numerous instances of fines being levied against companies in violation of the CCPA. They include findings against online retailers that did not offer opt-out options for consumers and those that do not provide methods that enable consumers to exercise their CCPA rights.
Implementing a data loss prevention (DLP) solution improves an organization’s ability to achieve and maintain compliance with the CCPA. A major factor in achieving compliance is the identification of data resources that are subject to the protections of the CCPA.
DLP tools provide the visibility into the IT environment required to efficiently inventory and categorize data resources. A reliable DLP tool also enforces a company’s data handling policy to ensure that personal data is protected effectively from unauthorized use.
Digital Guardian offers its customers a cloud-based, SaaS DLP solution that can be deployed quickly and easily integrates with existing data classification tools. Cross-platform support covers Windows, Linux, and macOS systems as well as applications and browsers.
Contact Digital Guardian today and start giving your information the protection required to comply with CCPA and other regulatory guidelines.
Does the CCPA apply to individuals visiting California?
No, the data privacy protections of the CCPA do not apply to individuals visiting California. The law only protects residents of California and extends these protections while they are traveling out of the state. This can complicate compliance efforts, as individuals must be identified as being California residents so the protections can be applied.
Is health information subject to CCPA regulations?
A CCPA HIPAA exemption is available to larger organizations that collect data on over 50,000 consumers. Protected health information (PHI) collected for treatment, payment, or healthcare operations is exempt from CCPA guidelines. Healthcare information collected for any other reason does need to comply with the regulations of the CCPA.
What was the first case of CCPA enforcement?
The first case of CCPA noncompliance enforcement was a settlement between the California Office of the Attorney General and Sephora, Inc. Sephora failed to disclose the fact that it was selling personal information, failed to process user requests to opt out, and did not address the violations within the 30-day grace period. The settlement required Sephora to pay $1.2 million and fix its non-compliant processes.