Whether motivated by high-profile data breaches or an increasing unease about how companies use and misuse personal data, jurisdictions across the United States are implementing more stringent data privacy regulations. At the forefront of this movement stands the California Consumer Privacy Act (CCPA), which protects consumer privacy rights for California residents.
What is the CCPA Compliance?
The CCPA is a landmark data privacy regulation that provides California residents with enhanced rights regarding their personal data. CCPA compliance means that businesses that fall under its purview adopt practices and measures to ensure they abide by and enforce these rights
The regulation casts a wide net on “personal data” by encompassing categories of personal information such as:
- Direct identifiers (like names or email addresses)
- Biometric information
- Social Security Numbers
- Web browsing history
- Geolocation data (including IP addresses)
- Professional or employment-related information
- Inferences drawn from other data to create consumer profiles
With all of this considered personal information by the law, compliance is a must for the majority of for-profit businesses that meet the criteria. It’s worth noting that several amendments to the CCPA followed in the form of The California Privacy Rights Act (CPRA), which expands upon the foundation laid out in the CCPA.
CCPA draws inspiration from the General Data Protection Regulation (GDPR). Just as GDPR was a landmark piece of legislation for data protection in the European Union, the CCPA sets a precedent in the United States that consumer data privacy is now a serious concern for businesses with repercussions for failing to protect it.
Despite coming into effect in January 2020, compliance with CCPA is a struggle for many businesses. Surprising research from 2022 found that 90% of companies are not fully compliant with CCPA requirements.
Who must comply with CCPA?
CCPA sets out specific criteria to determine which for-profit businesses (non-profits are exempt) must comply with the rules. Businesses must adhere to the CCPA if they collect personal information of California residents, and meet one or more of the following conditions:
- Annual gross revenues in excess of $25 million,
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California residents, households, or devices, or
- Derives 50% or more of its annual revenue from selling California residents’ personal information.
If a business is not based in California but collects Californians’ personal information and meets any of the above criteria, it must still ensure CCPA compliance because the legislation has “extraterritorial reach.”
Regarding protected healthcare information (PHI), if an organization complies with the Health Insurance Portability and Accountability Act (HIPAA) in its handling of PHI, that particular information is not subject to the CCPA’s requirements.
Key terms of CCPA
CCPA empowers consumers by providing some important rights in relation to their personal data. Specifically, the following terms and consumer rights are crucial to understanding for full compliance with the rules.
1. Right to Access:
- Consumers have the right to request that businesses disclose the categories and specific pieces of personal information they’ve collected about them. This also includes the right to obtain a copy of such information.
- Consumers can request information about the purposes for which a business uses or sells their personal information.
2. Right of Notice:
- Consumers have a right to be notified, either before or at the point of data collection, precisely which types of personal information a business is collecting and what that business plans to do with that information.
- For consumers aged between 13 and 16 years of age, businesses must obtain affirmative authorization (often called “opt-in consent”) before selling their personal information. For minors aged under 13, parental or guardian consent is mandatory.
4. Right to Opt-Out:
- The CCPA grants consumers the right to opt out of the sale of their personal information.
- The CCPA forbids companies from discriminating against anyone who decides to exercise their rights under the law.
- This non-discrimination principle helps ensure that consumers can freely make choices about their personal information without facing adverse consequences.
- Acts of discrimination prohibited under this equality concept include denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level or quality of goods or services to the consumer.
6. Right to Delete
- Consumers can ask, through consumer requests, that businesses delete the personal information they have collected from them.
- The right to delete also extends to requesting that any of a business’s service providers also remove customer’s data.
What are the penalties for violating CCPA?
As with many other data privacy laws, one of the main drivers of compliance is the threat of large penalties levied by the California Attorney General. The following penalties apply in cases of non-compliance:
- Entities violating the CCPA are subject to a civil penalty of up to $2,500 for each violation, or up to $7,500 for each intentional violation.
- Formerly, a 30-day cure period gave businesses the chance to remedy issues causing non-compliance before a fine was applied, but that’s no longer the case.
- CCPA also contains provisions that give consumers the right to bring private lawsuits. Known as the law’s “private right of action,” this right applies to cases where customers have their non-encrypted and non-redacted personal information breached due to a failure to implement appropriate data security measures. The thresholds that apply to these civil action cases are $100 and $750 per consumer per incident or actual damages (whichever is greater).
How to comply with CCPA
Armed now with a solid understanding of CCPA, its compliance obligations, and the consequences of non-compliance, here are some actionable tips to help you ensure your business is not one of the many companies that are not fully compliant with the rules.
2. Classify Data to Identify and Locate Personal Data
Identify where personal data resides within your systems, who has access to it, and how it’s used. Consider creating a visual representation of data flows throughout the organization to easily locate and manage personal data.
3. Adopt Data Security and Privacy Practices Like Encryption and DLP Solutions
Encrypting personal data when stored and transmitted over networks ensures privacy protection. Even if technically adept threat actors manage to steal this data or access it, they can’t read the encrypted data without a decryption key. Another reasonable security measure is to adopt data loss prevention (DLP) tools, including Device Control, that monitor and control data transfer across your networks to prevent unauthorized data leaks. Lastly, conduct regular security assessments to identify vulnerabilities and ensure all protective measures are up-to-date.
4. Implement Internal Processes to Respond to Consumer Rights Requests
Have a system in place to efficiently handle, process, and respond to consumer requests within the CCPA’s 45-day timeframe. It’s possible to extend the timeframe for responding to requests to a total of 90 days, but only if you inform the consumer first. Document all requests and your responses to ensure accountability.
5. Train Employees on Directing Consumers to Exercise Their Rights
Ensure that employees, especially those in customer-facing roles, are familiar with the CCPA and how it affects consumers. Offer resources or guidelines for employees to direct consumers to the appropriate channels for CCPA-related queries or requests.
How can Endpoint Protector help become CCPA compliant?
The protection of personal data is more than just a technical compliance requirement; it’s a testament to a business’s commitment to its consumers. With the introduction of regulations like the CCPA, businesses are under increasing scrutiny to ensure the confidentiality and security of the data they handle.
This is where Endpoint Protector comes in as a leading multi-OS DLP solution. Endpoint Protector ensures CCPA compliance in the following ways:
- Data discovery functionality that discovers and protects PII and sensitive data stored on employee endpoints using detailed content and context inspection.
- Content Aware Protection ensures personal data does not leave your network through monitoring data movement and controlling exit points, including web browsers, instant messaging applications, uploads to cloud storage services, etc.
- Monitoring policies can be converted into restrictive policies to help you block unwanted file transfers and other unauthorized data movements.
- Enforced Encryption uses 256-bit AES encryption to preserve data privacy for data transferred to portable USB storage devices.
Endpoint Protector is not just a tool—it’s a guardian. Our DLP platform actively monitors and controls data transfers across your network to ensure that sensitive information doesn’t fall into the wrong hands, whether by accident or through malicious intent.
Frequently Asked Questions
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.