The California Consumer Privacy Act of 2018 (CCPA) was enacted on January 1, 2020, and protects a wide-range of privacy rights for California residents. CCPA statutes and regulations are intended to protect consumer privacy by requiring businesses to notify consumers how their information will be used and obtain explicit consent, fulfill “request to know” inquiries from consumers in a timely manner, and protect consumer privacy by providing accessible opt-outs and private information deletion requests.
The CCPA can be seen as California’s version of the EU’s General Data Protection Regulation (GDPR), and applies to businesses outside of the state of California. The rules and regulations, while not as extensive as those within the GDPR, can be difficult to parse down and understand. Here, we cover the key highlights you need to know about the CCPA, as well as what you can do to make sure your organization remains compliant.
Which businesses need to be CCPA compliant?
At first glance, it may seem like the CCPA applies only to businesses based in California. However, the CCPA regulates any business, including those based outside of the United States, that collects personal information from California consumers — with the exception of nonprofit organizations or government agencies.
Under CCPA, if a business meets one or more of the following conditions, the statute applies to it:
- Has a gross annual revenue in excess of $25 million
- Possesses the personal information of 50,000 or more consumers, households, or devices
- Earns more than half of their annual revenue from selling consumers’ personal information
If your business does not meet one of these conditions, you may be exempt from the CCPA. However, if you are scaling or conducting any business online, it becomes increasingly more difficult to confidently ignore the CCPA. Small businesses with no online footprint may be able to safely ignore the CCPA, but many other businesses that have a digital presence are advised to be “privacy forward,” as they may soon reach the threshold for one of the CCPA conditions.
What types of data are regulated by the CCPA?
Personal data that is protected by the CCPA includes:
- Location information
- Mailing or billing addresses
- Credit card numbers
- Income or similar information
- Internet browsing and search history
- Political and religious affiliations
- Biometric data
In short, forms of personally identifiable information (PII) are protected by the CCPA. Even if a business is not selling or sharing it, it is vital to protect this collected information with the most secure measures. Some business industries that tend to collect greater amounts of sensitive private information include the financial, healthcare, higher education, eCommerce, manufacturing, and telecommunications industries.
Businesses that are unsure of all of the information their organization may be collecting on a daily basis, and how each piece of data is being stored, accessed and protected, should start by conducting sensitive data discovery to get an accurate handle of where to begin with becoming CCPA compliant.
5 steps for becoming CCPA compliant
If you know, or have a hunch, that your business does collect forms of PII from consumers and customers based in the United States, then it is in your best interest to become CCPA compliant. Even if your customer base isn’t made up predominantly of California residents, if your services are available to those residing in the United States, there’s the likelihood that your organization has, or will at some point, collect PII that is protected under the CCPA. Below are five recommended steps an organization should take to become CCPA compliant.
1. Get an accurate read of your organization’s data
Most organizations think they know the scope of data that they collect, but it’s very common for data to be hidden in unexpected places. In order to be CCPA compliant, or compliant with any type of legal regulation, your team should be aware of all of the collected data in your organization, what types of data are being collected on an ongoing basis, and where all sensitive data lives. Data discovery can be a tricky process because certain data, like unstructured data, is not easily searchable. Thankfully, there are sensitive data discovery tools that can aid security teams in the process while providing efficient, accurate results.
2. Create and implement classifications for your organization’s data
Once you have a full understanding of all the data that lives within your organization, you can begin organizing that data with classification labels. This is important because not all pieces of data need to be treated with the same level of security or are required to live within your organization’s network for the same lengths of time. Data classification will make monitoring and remediating data much easier for your organization’s security team, and there are tools out there that can automate classification once your organization sets specified parameters and terminology.
3. Take necessary remediation steps
Remediation does not always mean deletion. The best action step will depend on the types of sensitive data your organization has acquired, and includes actions like cleansing, organizing or migrating data so it is fit for its intended purpose while adhering to compliance regulations.
4. Make Subject Rights Requests easy for consumers and for your team
Under the CCPA, California consumers are entitled to request information on how their personal data is being used. These requests should be easy for your customers, and just as easy for your security and legal teams to process. And since the CCPA stipulates that these requests must be acknowledged within 10 days and fulfilled within 45 days, it’s important to have a system in place that works efficiently. This is where compliance automation tools equipped with features like AI-driven name recognition, identity matches and comprehensive dashboards, can help your organization remain CCPA compliant with ease.
5. Create data governance and data classification policies
Once you’ve properly organized and assessed your data, your organization should create data governance and data classification policies to ensure that everyone on your team is on the same page. When everyone in your organization knows who owns what, your team can work more efficiently and accurately.
What are the risks of CCPA non-compliance?
If your business is found in violation of the CCPA, there may be financial penalties. The penalty for an unintentional violation is $2,500 per violation, and if the violation is considered to be intentional, then the penalty rises to $7,500 per violation. What is important to note is that each CCPA penalty is per violation — so if hundreds, or even thousands, of your customers are affected by your violation, this can quickly add up to millions of dollars.
Aside from the financial penalties your organization may incur, the general public is taking their privacy rights more seriously. From a reputation standpoint, your business may see its reputation damaged if you are accused or found in violation of the CCPA. Trust from your customers and community is too valuable to risk.
Tools to help your business become CCPA compliant
Manually searching for all instances of PII within your organization is time consuming, as is fulfilling Subject Rights Requests. Automated tools, like Spirion’s Sensitive Data Platform, make CCPA compliance simple for businesses.
Data Privacy Manager offers visibility into data, no matter where it lives, and automates workflows for sensitive data discovery, classification and remediation. Our compliance tool enables you to add automated Subject Rights Request processing, making request intake and fulfillment more efficient. By automating these processes, you save your security teams countless hours of work and eliminate the potential for human error. To see these tools in action and assess whether they are a right fit for your organization, request a free demo.