Protecting customer data and privacy is a crucial and necessary requirement when it comes to running a business. During May 2018, the world witnessed the introduction of the European data privacy law dubbed the General Data Protection Regulation (GDPR).
A similar one has been implemented by the California governor, Jerry Brown, known as the California Consumer Privacy Act (CCPA) and has come into effect as of January 2020. Because of this, businesses need to be aware of it if they conduct businesses in the state of California.
Sadly, most businesses aren’t aware of the need for being CCPA compliant. If you’re a huge enterprise business, then your legal team may have already taken care of CCPA, but unfortunately it’s become a headache for SMBs without the resources or in-house expertise to get up to speed with the new requirements.
If you have any experience complying with GDPR, then this shouldn’t be too much of a hassle. Otherwise, it’s time to buckle down and get to work on becoming compliant.
Let’s go over what you need to know in order to become compliant.
What is the CCPA?
CCPA is short for California Consumers Privacy Act. This is one of the most recent personal data protection laws passed by the State of California in response to the increasing role for personal data in contemporary business practices and the personal privacy implications that affect the collection, use, and protection of an individual’s personal information.
California has become the first government to lead among the US states in passing laws for protecting the privacy of its residents.
Companies subject to CCPA are required to send out privacy notices to their California employees and contractors informing them what personal data they’re collecting and how it’s being used.
Which businesses does the CCPA affect?
Every business that services California residents and has amassed a minimum of $25 million in annual revenue must comply with this law. Additionally, businesses of any size that gather personal data on at least 50,000 people or that collect over more than half of their revenues due to sales of personal data, must comply with this law as well.
Businesses don’t have to be based in California or have a physical presence there to fall under this law. They don’t even need to have their business based within the United States.
An amendment was passed in April 2019 that exempts businesses in insurance, agents, and support organizations, as they’ve already become subject to similar regulations known as California’s Insurance Information and Privacy Protection ACT (IIPPA).
When does your company need to comply with the CCPA?
Well, the law has already gone into effect as of January 1, 2020. So your company should have already worked into becoming compliant by now.
Most companies had already started having their data tracking systems in place, due to consumers having the right to request all the data a company has managed to gather on them over the previous 12 months. So, you may have a problem with your hands if you haven’t started already.
What happens if you don’t comply with the CCPA?
The CCPA is enforced by the California Attorney General, and at the moment provides business 30 days to comply if accused of noncompliance. Although, a proposed bill is capable of removing this given time frame and allows enforcement immediately. Civil penalties will be imposed for up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to consumers giving companies exposure not only to the government fines but also to lawsuits from consumers. When you consider how many records can be affected by the potential breach, the penalties can rack up quite rapidly.
Who does the CCPA protect?
The CCPA is supposed to protect privacy by offering Californians the right to access, delete, and withdraw the sale of their data. The CCPA protects customers, which is broadly defined under California residents. Customers can extend from both California residents who are currently residing in the state and those who are traveling abroad. They close in on customers of goods and services, employees, and business-to-business transactions.
This California law takes a wide-ranging approach to what falls under sensitive data than its European counterpart does. For instance, olfactory information is covered in the bill, along with a person’s browsing history and records of visitor’s interactions with either website or applications. Here what you should be aware of is that the CCPA considers personal information:
1. Identifiers such as the customers name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
2. Characteristics of protected classification under either California or federal law
3. Commercial information such as records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
4. Internet or any other electronic network activity information include, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website application or advertisement.
5. Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
6. Inferences garnered from any of the information identified in this subdivision to develop a profile about a customer reflecting the customer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
7. Geolocation data;
8. Audio, electronic, visual, thermal, olfactory, or similar information;
9. Professional or employment-related information
10. Biometric information
At the moment, AB 874, an amendment is awaiting the governor’s signature which would exempt publicly available, identify and aggregate customer information from being classified as PII. Publicly available information is known as data available and maintained from the government records.
Initially, the CCPA did cover employees along with customer data. Unfortunately, an amendment was passed during April that exempts employee data from falling under regulation. Furthermore, amendment AB25 is capable of partially exempting personal information gathered from job applications, owners, directors, officers, medical staff, and contractors. This exemption has an expiration date set for January 1, 2021.
Important privacy provisions under the CCPA
The CCPA grants customers the right to be aware of what personal information a company is selling, disclosing, or collecting about them as well as categories of third parties who purchased or received their data. Customers also have the right to obtain a copy of the personal information gathered about them by conducting verified consumer requests. Consumers then have the right to transmit the information one entity to another.
Customers will be allowed to request that a company deletes any of the personal information that the business has gathered from them. The CCPA allows certain exceptions to this deletion right, such as when personal information is absolutely necessary to perform a contract or finalize a transaction.
Customers will also be given the right to withdraw out of the sale of their personal information, and the CCPA forbids companies from discriminating against customers that exercise their withdrawal rights. Companies are not allowed to request customers to sign contracts that limit their data privacy rights under the CCPA.
This includes contract provisions limited or waiving the right to a specific remedy or means of enforcement due to an alleged violation.
Companies must also notify customers of their rights under the CCPA, including the right to delete personal information, right to know, an data portability right as well as how to exercise said rights. These required disclosures can either be done through privacy policies that must explain how the collected data will be utilized.
The CCPA imposes obligations for companies to sell customer’s personal information or the data of their children.
Companies are required to introduce a process that responds to verified consumer requests and withdrawal requests. For example, responses to customers’ requests must cover the 12-month period preceding the request, so companies have a way to date the data they’ve gathered.
Businesses will have to create at least two portals for submitted requests available to customers including, but not limited too, a toll-free phone number and a website address if the business maintains one.
Companies will need to respond to customer requests for information within 45 days of receiving the request, which may be delivered either through postal mail or email in a portable format. Although, for online-only businesses, one proposed amendment to the CCPA does allow them to create an email address available for submitted requests for information.
What does this mean for security
Amendment AB 375 is quite light on requirements for security and breach responses. As previously mentioned, the law does define penalties for businesses that expose a customer’s data due to a breach or security lapse.
It also allows courts the chance to offer injunctive or declaratory relief or any other relief that seems proper to the court.
Companies are not obligated to report breaches due to AB 375, and customers must file complaints before fines can be conducted.
The best thing a company can do for security is to understand what AB 375 defines as private data and take the appropriate steps to secure them.
The necessities behind AB 375 about tracking, accessing, and storing data means that security teams will need to work with the database administrators.
Any tools chosen to help deal with this amendment will not only need to be completely transparent about data stored all over the corporate environment but also make sure that access to this data is properly secured.