As we started off the new year, the California Consumer Privacy Act was getting underway. The Act, at its most basic, is a way to offer protection to consumers. It lets the consumer know what information will and will not be sold and to whom and offers the consumer the ability to opt-out of having his or her information sold.
If you’re doing business in California, you need to be aware of this new regulation and you have to protect yourself (and your customers) by implementing measures to assure your business is in compliance. In today’s global environment you should be in compliance with the strictest consumer privacy act – that way you will be in compliance with others that may not be so strict.
The GDPR, the European Union’s response to consumer privacy was enacted previously; if your business is not in compliance with that Act, now is the time to look into GDPR and CCPA compliance. Don’t wait for potential noncompliance to cause fees to be levied against your business.
The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law that took effect on January 1, 2020. The California Consumer Privacy Act represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy. Falling on the heels of the GDPR, California Consumer Privacy Act may mark the beginning of stricter U.S. consumer privacy protections.
The intentions of CCPA are to provide California residents with the right to:
1. Know what personal data is being collected about them.
2. Know whether their personal data is sold or disclosed and to whom.
3. Say “no” to the sale of personal data.
4. Access their personal data.
5. Request a business to delete any personal information about a consumer collected from that consumer.
6. Not be discriminated against for exercising their privacy rights.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
1. Has annual gross revenues in excess of $25 million;
2. Buys or sells the personal information of 50,000 or more consumers or households; or
3. Earns more than half of its annual revenue from selling consumers’ personal information.
4. Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
Responsibility and accountability
1. Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
2. “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.102).
3. Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
4. Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
5. Avoid requesting opt-in consent for 12 months after a California resident opts out (Cal. Civ. Code § 1798.135(a)(5)).
Sanctions and remedies
The following sanctions and remedies can be imposed:
1. Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
2. Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
3. A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).
4. Privacy notices must be accessible and have alternative format access clearly called out.
Definition of personal data
CCPA defines personal information as: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
It does not consider Publicly Available Information as personal.
Key differences between CCPA and the European Union’s GDPR include:
1. The scope and territorial reach of each
2. Definitions related to protected information
4. Levels of specificity
5. Opt-out right for sales of personal information.
CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer and excludes personal data that was purchased by, or acquired through, third parties[the italicized portion of this sentence is open to debate]. The GDPR does not make that distinction and covers all personal data regardless of source (even in the event of sensitive personal information, this doesn’t apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such the definition in GDPR is much broader than defined in the CCPA.
I run an IT & Cyber Security Consultancy focusing on Business ContinuityDisaster Recovery (BCDR). We work professionals in many fields including legal, real estate, accounting and healthcare.
If you have security and business continuity, disaster recovery or any other cybersecurity concern or challenge, let me know. I am also filling up my calendar with guests on my Security Disciple Podcast. If you’d like to be a guest, please DM me @waregeeks, call (877) 653-7146, or email me email@example.com. www.waregeeks.com