CCPA Latest 2022
What is the CCPA (California Consumer Privacy Act )?
California Consumer Privacy Act or AB 375 is a new law that became effective on January 1 2020, designed to enhance consumer privacy rights and protection for residents in the state of California by imposing rules on how businesses handle their personal information.
The CCPA is the most extensive consumer privacy legislation to pass in the United States and is akin to the European Union’s General Data Protection Regulation (GDPR) and other data privacy laws and privacy regulations.
The bill was put together in seven days to avoid a ballot initiative to pass an even stricter law that was opposed by many tech companies.
What are the Intentions of CCPA?
California’s new privacy law is designed to provide California residents with new rights to:
1-Know what personal data is being collected about them, e.g. smartphone locations, voice recordings or browsing history
2-Know whether their consumer data is sold or disclosed and to whom, e.g. app developers, service providers and advertising partners
3-Say no to the sale of personal data
4-Access their personal data, e.g. online activities, physical locations, ride-hailing routes, biometric data and ad-targeting data
5-Request a business delete their personal data, e.g. your phone number, social security number or IP address
6-Not discriminate against them for exercising their privacy rights
7-Access to specific inferences that have been made about them, e.g. psychographics, predictions and categorizations
8-Provide authorization to companies, activists, associations and others to exercise opt-out rights on behalf of them
A lot of this functionality is already provided by large tech companies such as Facebook, Google, Microsoft and Twitter, who offer automated systems where you can log in and download a copy of certain personal data.
Other specific personal details can now be requested from the companies by Californians.
Once requested, companies must acknowledge a data access request within ten days and provide the information within 45 days.
What is Considered Personal Information Under CCPA?
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular consumer or household such as:
1-Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
2-Characteristics of protected classifications under California or federal law
3-Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
5-Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
7-Audio, electronic, visual, thermal, olfactory or similar information
8-Professional or employment-related information
9-Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
10-Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
Much like personally identifiable information (PII) and protected health information (PHI), publicly available information is not considered personal information under CCPA.
Who Must Comply With CCPA?
The CCPA applies to any business, including any for-profit entity who collects personal data, who operates in California and meets at least one of the following criteria:
1-Has annual gross revenues of at least $25 million
2-Buys or sells the personal information of 50,000 or more consumers or households
3-Earns more than half of its annual revenue from selling consumers’ personal information
Non-compliant companies can be fined $7,500 per data record that violates the data privacy requirements of CCPA.
How Can Organizations Comply With CCPA?
Organizations who must comply with CCPA must:
1-Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years old before selling or sharing their data for commercial benefit
2-Provide a “Do Not Sell My Personal Information” link on the home page of their website that enables Californians to opt out of the sale of their personal information
3-Designate methods for submitting data access requests, including, at a minimum, a toll-free phone number
4-Update privacy notices with newly required information including a description of California residents’ rights under CCPA
5-Avoid requesting opt-in consent for 12 months after a Californian opts out
6-Provide accessible privacy notices and have alternative format access clearly called out
The California law also requires employers to tell employees the categories of personal information they collect about them and the purpose of data collection.
What Happens if Companies are Not Compliant With CCPA?
Once regulators notify companies of a violation, they will have 30 days to comply with the law.
If the issue isn’t resolved, the following sanctions and remedies can apply:
1-Companies who suffer from a data breach or data leak can be ordered in civil class action lawsuits to pay statutory damages between $100 and $750 per California resident and incident or actual damages (whichever is higher) and any other relief a court deems adequate, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it
2-A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation
This is in addition to the other costs of a data breach which averaged $8.19 million in 2019. It pays to invest in software to prevent data breaches.
How is CCPA Different to GDPR?
While many view CCPA as the U.S. equivalent to GDPR, there are key differences.
The most important different is that CCPA excludes data acquired through third-parties. GDPR also provides specific requirements on how organizations protect personally identifiable information (PII), monitor for security incidents and report data breaches or data leaks, CCPA does not.
How Does CCPA Impact Cybersecurity?
Unlike GDPR, CCPA does not provide specific requirements about security and breach response. In fact, CCPA does not require organizations to report data breaches. That said, California does have its own data breach notification law, just like New York and every other US state.
The language of CCPA states that businesses must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information”, but does not specify what reasonable is.
We would think that reasonable security procedures would include:
Data leak detection
Vendor risk management
Vendor risk assessment questionnaires
Third-party security ratings
Incident response planning
The principle of least privilege
Vendor management policies
Information security policies
A third-party risk management framework
A cybersecurity risk assessment process
Security ratings provide real-time access to broad and objective data about industry-wide security performance across multiple categories including risk of vulnerabilities, email spoofing, spyware, ransomware, computer worms, malware, phishing, spear phishing, domain hijacking and man-in-the-middle attacks, as well as lack of DNSSEC, DMARC, SSL and other cybersecurity measures.
Read More About Social Engineering
Buy From Amazon