CCPA Compliance
The Most In-Depth Guide
The new California privacy law presents a number of compliance challenges for organizations of all sizes.
Find out what steps you should take to avoid the fines and how our DLP solution can help you achieve CCPA compliance.
WHAT IS CCPA?
The California Consumer Privacy Act (CCPA) is a consumer privacy law regulating how businesses handle customer information. The government of the State of California enacted the CCPA – Assembly Bill 375 – with urgency in late June 2018, and amended it in September 2018.
Based on the General Data Protection Regulation (GDPR) and recent data breaches, CCPA aims to empower consumers with new rights in order to protect their privacy. Business transparency is encouraged and gives consumers a certain amount of control over how their personal information is used with the goal of reducing misuse.
WHO HAS TO COMPLY?
There has been some confusion regarding the CCPA with the popular assumption being that all businesses will have to comply. In reality, the privacy law applies only to for-profit entities that conduct business in California, and meet at least one of the following three conditions:
There has been some confusion regarding the CCPA with the popular assumption being that all businesses will have to comply. In reality, the privacy law applies only to for-profit entities that conduct business in California, and meet at least one of the following three conditions:
Right to know
- Businesses must notify consumers what personal information is being collected about them, how it’s being collected and used, as well as whether and to whom it’s disclosed or sold. Disclosures generally should occur through a publicly posted privacy notice, and specifically upon request by a consumer.
Right to access
- Businesses covered by the CCPA that collect California residents’ personal information must provide the following on request:
- The collected categories of personal information (e.g. name, phone number, date of birth)
- The specific pieces of the collected personal information
- The categories of sources of personal data
- The commercial purpose of collecting or selling personal information
- The categories of third parties with whom the personal information is shared
- The “look back” requirement: companies will need records of personal information collected dating back 12 months before January 1, 2020, which is January 1, 2019.
Right to opt-out
- The right to opt-out is one of the most impactful elements of the CCPA, which doesn’t list any exceptions.
Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, although it’s subject to certain defenses. - If a business sells personal information, it must provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on its homepage that enables a consumer or a person authorized by the consumer to opt out of the sale of personal information.
Right to equal service and price
- Businesses are prohibited from discriminating against California consumers for exercising their rights under the law. Discrimination includes, but it’s not limited to: denying, charging different prices for, or offering different qualities of goods or services.
- However, the CCPA does allow businesses to offer different prices or levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” Companies can also offer financial incentives to consumers in exchange for the collection or sale of their personal information.
Right to erasure
- A consumer has the right to request an organization to delete their data, subject to certain exceptions. The business must also instruct its service providers to delete the data.
Special protection to minors
- Businesses should assess whether they are likely to engage in any activity that could be considered as “selling” personal information about consumers younger than 16 years, and if so, consider establishing protocols and procedures to mitigate risks.
- CCPA imposes an affirmative consent requirement for the sale of personal information of any minor if the business has “actual knowledge” the consumer is younger than 16 years.
- The “affirmative consent” must be sought from:
- parents or guardians of consumers under 13 or,
- consumers themselves if they are aged 13 to 16.
The CCPA aims to encompass all of the sensitive and personal information consumers would like to manage, more specifically: personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
Additions that will be categorized as personal information under CCPA:
- IP addresses
- Geolocation data
- Biometric informatio
- Device and cookie IDs
- Internet activity information like browsing history, purchase history or tendencies
- Characteristics concerning an individual’s race, color, sex, age, religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status
- Inferences that are drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characters, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”
Update Privacy Policy with a description of a consumer’s privacy rights under the CCPA
Businesses should create a new procedure that briefs consumers of their rights and any proposed sale of their personal information, as well as provide them access to exercise their right to deny any sale of their personal data.
Businesses must make clear that consumers have the right to opt-out of the sale of their information.
Classify Data to identify and locate sensitive personal data across the organization
Companies will have to identify previously collected personal information about the consumer.
Businesses will also need to know why they collected the personal information; which categories of personal information were sold; and which categories were disclosed for a business purpose.
It’s important for businesses that fall under the scope of CCPA to keep up-to-date detailed records.
Implement internal processes to respond to Consumer Rights Requests
Businesses will have to implement protocols in order to handle all consumer requests in regards to their personal data. This includes situations when consumers say no to the sale of their data, as well as cases when they don’t allow the disclosure of their data to third parties.
Train Employees on how to direct consumers to exercise their rights
Businesses will have to train all of their employees who handle consumer inquiries regarding privacy practices about the CCPA as well as how consumers can exercise their rights.
Adopt Data Security Practices and Solutions like encryption and data loss prevention products
Endpoints, gateways, and cloud services must be sufficiently safeguarded to prevent unauthorized access, stop unauthorized changes, and protect personal data from malicious threats that attempt to compromise data integrity.
Security tools should continually assess endpoints, servers and other systems to avoid new threats due to out-of-date and unpatched operating systems and applications.
Protect Data at Rest
- Protection against unauthorized storage
- Protection against intentional data theft and accidental loss on Windows, macOS, Linux and removable media like USB devices
- Scanning data at rest stored on employees’ endpoints for sensitive data based on predefined or custom content, file name, etc.
- Encrypting the data to protect it from potential breaches
Protect Data in Motion
- Protection against unauthorized transmission
- Safeguarding personal data in motion across multiple channels and preventing it from leaving the network
- Monitoring and controlling data in motion, deciding what confidential files can or cannot leave the company via various exit points
Get started today!
Get your latest dose of
News and Insights aboutCCPA
News and Insights about
