What is the CCPA and CCPA Compliance?

The California Consumer Privacy Act (CCPA) of 2018 is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. What began after several attempts by the California legislature to pass a comprehensive privacy law, on June 28th, 2018 California Governor Jerry Brown signed into law the CCPA – which did not go into full effect until January 2020. Considered one of the strictest privacy laws in the United States, this law sets a new standard for privacy rights in California and includes:

  • The right to know about the personal information a business collects about them and how it will be used and shared.
  • The right to delete personal information collected from them 
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their CCCPA rights.

Under the CCPA, businesses that are covered entities are required to give consumers notice of their privacy rights.

What is CCPA Compliance?

In order for your company to ensure CCPA compliance, you may need to rework and make adjustments to your privacy policy. Your privacy policy should include, but is not limited to:

  • The kind of information you collect and process.
  • Why you collect and process information.
  • The means by which you collect and process personal information.
  • How users can request access, change, more, or delete their personal data.
  • The method for verifying the identity of the person who submits a request
  • Sales of users’ personal data and how they can opt-out of selling their data moving forward.

What Happens If Businesses Don’t Comply? 

If a company is not in compliance with the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If they continue to not comply, organizations will be faced with a fine of up to $7,500 per record. 

Who Does the CCPA Apply To?

The CCPA applies to for-profit businesses in California that meet any of the following:

  • Has a gross annual revenue of over $25 million USD
  • Buys, receives or sells the personal information of 50,000 or more California residents, households, or devices 
  • Derives 50% or more of their annual revenue from selling California residents’ personal information 

The CCPA does not apply to non-profit organizations or government entities.

What type of information is protected under CCPA? 

Personal identifiable information or “PII” is protected under the CCPA. But, how does the CCPA define PII? Its definition is broader than typical privacy-related laws in the United States, or the more well-known GDPR, and is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly, or indirectly, with a particular consumer or household. Under the AB 375, the following is considered “personal information” that is protected under the CCPA:

    • Identifiers –  such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
    • Characteristics of protected classifications under California or federal law – like race, nationality, religion.
    • Commercial information – including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
    • Biometric information – like fingerprints, facial patterns, or voice.
    • Internet or other electronic network activity – information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
    • Geolocation data – such as location history.
    • Professional or employment-related information – like job title or where your office is located.
    • Education information – defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
    • Data by inference – any personal information that could lead to the identification of an individual or household. 

It’s important to note that aggregate or anonymous data is exempt from the CCPA. However, if an individual is able to use this data – by inference or with a combination of other identifiers – to identify an individual or household, this information can become personal information under the CCPA.

CPRA or CCPA 2.0 – What to Expect

In May 2020, the privacy advocacy group “California for Consumer Privacy” announced they collected 900,000 signatures – enough to place the California Privacy Rights Act (otherwise known as “CPRA” or “CCPA 2.0”) on the November 2020 ballot. The law has since passed, and the new act will overtake the CCPA and close some pre-existing loopholes. It also means stricter enforcement, harsher penalties, and greater company obligation in regard to consumer privacy – moving closer in rigidity to that of the EU’s GDPR. 

Here are some GDPR concepts the CPRA will introduce:

  • Right to rectification – Updating and adding to the consumer’s right to correct inaccurate personal information.
  • Right to restriction – Granting consumers the right to limit the use and disclosure of their sensitive personal information.
  • Sensitive personally identifiable information – Not all personally identifiable information (“PII”) will be created equal with the new law. 

Other changes introduced by the CPRA:

  • The obligation of companies and organizations to protect privacy rights of their employees and independent contractors.
  • The redefinition of key words like the meaning and scope of “business” and “breach”. 
  • The flexibility of the governing body to keep privacy laws up to date overtime in order to keep the law current and applicable.
  • Grant the governing body the authority to prevent future attempts by businesses to avoid or not comply with the CPRA.

Who in Your Company Will be responsible for CCPA Compliance?

It is recommended that someone in your company is hired and assigned key roles specifically related to maintaining CCPA compliance. For example, a Data Protection Officer (DPO) can continuously monitor and measure data security risks across your company and third-parties. Additionally, as regulations and rules continue to change, this person should be responsible for informing the rest of the company of any updates being made and how it could impact their job role.

Where Do Third-Parties Fit into the CCPA Compliance Regulations?

With new privacy regulations like the CCPA and GDPR, third-party risk management will become increasingly challenging. Third parties are likely housing a great sum of an organization’s data and under the CCPA, organizations that gather or process personal information are responsible for keeping the data privacy, which often requires a contract. 

Therefore, organizations should do a complete and thorough review or existing contracts with third parties and determine who might be collecting and processing personal information on that organization’s behalf and make adjustments to these contracts accordingly to achieve compliance. 

What Happens If Businesses Don’t Comply? 

If a company is not in compliance with the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If they continue to not comply, organizations will be faced with a fine of up to $7,500 USD per record. 

Other Common HIPAA Compliance FAQs

What is the difference between the CCPA and GDPR?

While the CCPA and GDPR host a number of similarities, they are not the same. The CCPA protects “consumers” who are California residents while the GDPR protects “data subjects” and do not need a specific residence or citizenship in order to be protected. 

Some may wonder if being GDPR compliant makes them CCPA compliant. While you may already meet some of the CCPA requirements simply by being GDPR compliant, they are not the same and you’ll still need to make adjustments to your privacy policy. For example, under the CCPA you’ll need to include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and deletion of users’ data, as well as establish a method for verification of the identity of the person making a data-related request. You can view a full list of similarities and differences between the CCPA and GDPR here.

If my business isn’t located in California, why should I care about the CCPA?

Even if your business is not based in California, there’s a likelihood that you do business transactions with California residents. Therefore, you are subject to the CCPA in order to protect the personal data of these consumers.

What types of disclosures are businesses required to make under the CCPA?

The CCPA has put an increased emphasis on disclosures for those who are subject to the law. Under the CCPA, organizations should begin preparing comprehensive privacy notices that are clearly presented to consumers when personal information is collected, including descriptions of how the personal information is collected, how it will be used, and the categories of PI the business has sold to third parties in the past year. 

Checklist to become CCPA compliant

Understanding the CCPA and the rules and regulations an organization must comply with can feel overwhelming. This checklist will help your organization get on track.

1. Find Out if the CCPA Applies to Your Business

First, determine if the CCPA applies to your business or organization. The CCPA applies to any for-profit organization that does business in California. Additionally, it applies to businesses that:

  • Have a gross annual revenue in excess of $25 million USD.
  • Derive 50% or more of their annual revenue from selling consumers’ personal information. 
  • Annually buy, receive, or share for commercial purposes or sell personal information of 50,000 or more consumers, devices, or households. 

If you are unsure about any of the above or if it applies to your organization, it is always best to comply just to be safe. 

2. Establish Accountability Within Your Organization

Complying with the CCPA will require support from top-level management. Your organization’s board should understand the law to the best of their ability as well and the implications of not complying with the CCPA, such as loss of consumer trust and a tarnished reputation. 

We recommend starting these conversations with upper management as soon as possible so that you can get the support and resources you need to achieve long-term results. It is also a good idea to hire and assign key roles for CCPA compliance like a Data Protection Officer (DPO) who can continuously monitor and measure data security risks across your organization. 

3. Conduct a Detailed Gap Analysis

Conducting a CCPA gap analysis will help you understand what current practices are meeting CCPA requirements and which ones need to be revised. This gap analysis should cover all areas of your business from governance, risk management, roles and responsibilities, training procedures, and privacy protocols. 

Take the time to review the CCPA and understand its rules and regulations which can be found here. Some specific things you’ll want to include in your gap analysis are any existing privacy protocols your company has in place, an analysis of where your company is currently maintaining compliance and where they are not, as well as detailed instructions on how your company will take steps to achieve greater compliance.

4. Map Organizational Data and Create a Personal Information Inventory

It’s important to get a comprehensive look at all the Personally identifiable information (PII) in your organization, where it is stored, and how it is used. This should be a thorough search across all your networks and devices, not just where you think that data resides. 

5. Develop Organizational Procedures, Protocols, and Processes 

After mapping personal data through your organization, you will need to review any existing policies, protocols, or procedures you have in regard to data protection. You may need to revise existing procedures and update your website and company materials to reflect these changes. 

In particular, you will need to see if your PII protection policies are in line with the CCPA, including notices for opt-out and opt-in rights. You’ll want to plan how to respond to requests from consumers who are requesting to access or delete their personal information. Make sure any and all protocols are documented in a safe, secure space that appropriate employees can refer to if needed. 

6. Provide Compliance Training for Employees

You’ll want to ensure that the employees who are responsible for handling customer inquiries regarding privacy rights and those who have access to the personal data stored on your computers, servers, and cloud are aware of the CCPA requirements and the privacy protocols your company has in place. Offer training sessions for those who need it and send out information on any changes that are made to the CCPA as time goes on.

7. Implement Technical and Safety Measures to Protect Personal Information 

Having appropriate safety measures in place to secure the personal information your organization contains is critical in maintaining compliance. Not only should you have a security policy in place, but encryption and de-identification methods should be used when appropriate. We also recommend utilizing data discovery software. With something like a PII Scanning Tool, your organization can be efficient in identifying all of the data stored on your computers, servers, and cloud and begin to take the appropriate steps towards maintaining CCPA compliance. 

The Role of Data Discovery 

Companies face the immense challenge of obeying CCPA rules while still leveraging data legally to catalyze business growth. Such objectives are nearly impossible to accomplish without precise data discovery. 

Data discovery provides solutions to vital questions, including:

  • What sensitive data does my company possess?
  • Where is the data stored?
  • Why was the data collected?
  • How is the data being used?

By incorporating data discovery tools, your company can quickly and proactively locate, track, and trace data, whether it’s stored in the cloud, on employee devices, or within network repositories. 

You’ll greatly benefit from organized databases capable of finding information through metadata indexing, keyword searching, and classification. 

The best current data discovery tools will also keep your company CCPA compliant. Compliance software has built-in intelligence that accounts for regulations and alerts processors when an input or output is off base. Ultimately, it provides automated efforts to help identify the source of data breaches in a timely fashion. 

Related articles

Guarantee your data protection by contacting Ground Labs, a data solutions company entirely devoted to helping organizations fulfill compliance standards. On servers, on desktops, or in the cloud, we’ll keep your ePHI secure.