COMPLIANCE
Ground Labs | 3/25/2021
The California Consumer Privacy Act (CCPA) of 2018 is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. What began after several attempts by the California legislature to pass a comprehensive privacy law, on June 28th, 2018 California Governor Jerry Brown signed into law the CCPA – which did not go into full effect until January 2020. Considered one of the strictest privacy laws in the United States, this law sets a new standard for privacy rights in California and includes:
Under the CCPA, businesses that are covered entities are required to give consumers notice of their privacy rights.
In order for your company to ensure CCPA compliance, you may need to rework and make adjustments to your privacy policy. Your privacy policy should include, but is not limited to:
If a company is not in compliance with the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If they continue to not comply, organizations will be faced with a fine of up to $7,500 per record.
The CCPA applies to for-profit businesses in California that meet any of the following:
The CCPA does not apply to non-profit organizations or government entities.
Personal identifiable information or “PII” is protected under the CCPA. But, how does the CCPA define PII? Its definition is broader than typical privacy-related laws in the United States, or the more well-known GDPR, and is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly, or indirectly, with a particular consumer or household. Under the AB 375, the following is considered “personal information” that is protected under the CCPA:
It’s important to note that aggregate or anonymous data is exempt from the CCPA. However, if an individual is able to use this data – by inference or with a combination of other identifiers – to identify an individual or household, this information can become personal information under the CCPA.
In May 2020, the privacy advocacy group “California for Consumer Privacy” announced they collected 900,000 signatures – enough to place the California Privacy Rights Act (otherwise known as “CPRA” or “CCPA 2.0”) on the November 2020 ballot. The law has since passed, and the new act will overtake the CCPA and close some pre-existing loopholes. It also means stricter enforcement, harsher penalties, and greater company obligation in regard to consumer privacy – moving closer in rigidity to that of the EU’s GDPR.
Here are some GDPR concepts the CPRA will introduce:
Other changes introduced by the CPRA:
It is recommended that someone in your company is hired and assigned key roles specifically related to maintaining CCPA compliance. For example, a Data Protection Officer (DPO) can continuously monitor and measure data security risks across your company and third-parties. Additionally, as regulations and rules continue to change, this person should be responsible for informing the rest of the company of any updates being made and how it could impact their job role.
With new privacy regulations like the CCPA and GDPR, third-party risk management will become increasingly challenging. Third parties are likely housing a great sum of an organization’s data and under the CCPA, organizations that gather or process personal information are responsible for keeping the data privacy, which often requires a contract.
Therefore, organizations should do a complete and thorough review or existing contracts with third parties and determine who might be collecting and processing personal information on that organization’s behalf and make adjustments to these contracts accordingly to achieve compliance.
If a company is not in compliance with the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If they continue to not comply, organizations will be faced with a fine of up to $7,500 USD per record.
While the CCPA and GDPR host a number of similarities, they are not the same. The CCPA protects “consumers” who are California residents while the GDPR protects “data subjects” and do not need a specific residence or citizenship in order to be protected.
Some may wonder if being GDPR compliant makes them CCPA compliant. While you may already meet some of the CCPA requirements simply by being GDPR compliant, they are not the same and you’ll still need to make adjustments to your privacy policy. For example, under the CCPA you’ll need to include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and deletion of users’ data, as well as establish a method for verification of the identity of the person making a data-related request. You can view a full list of similarities and differences between the CCPA and GDPR here.
Even if your business is not based in California, there’s a likelihood that you do business transactions with California residents. Therefore, you are subject to the CCPA in order to protect the personal data of these consumers.
The CCPA has put an increased emphasis on disclosures for those who are subject to the law. Under the CCPA, organizations should begin preparing comprehensive privacy notices that are clearly presented to consumers when personal information is collected, including descriptions of how the personal information is collected, how it will be used, and the categories of PI the business has sold to third parties in the past year.
Understanding the CCPA and the rules and regulations an organization must comply with can feel overwhelming. This checklist will help your organization get on track.
First, determine if the CCPA applies to your business or organization. The CCPA applies to any for-profit organization that does business in California. Additionally, it applies to businesses that:
If you are unsure about any of the above or if it applies to your organization, it is always best to comply just to be safe.
Complying with the CCPA will require support from top-level management. Your organization’s board should understand the law to the best of their ability as well and the implications of not complying with the CCPA, such as loss of consumer trust and a tarnished reputation.
We recommend starting these conversations with upper management as soon as possible so that you can get the support and resources you need to achieve long-term results. It is also a good idea to hire and assign key roles for CCPA compliance like a Data Protection Officer (DPO) who can continuously monitor and measure data security risks across your organization.
Conducting a CCPA gap analysis will help you understand what current practices are meeting CCPA requirements and which ones need to be revised. This gap analysis should cover all areas of your business from governance, risk management, roles and responsibilities, training procedures, and privacy protocols.
Take the time to review the CCPA and understand its rules and regulations which can be found here. Some specific things you’ll want to include in your gap analysis are any existing privacy protocols your company has in place, an analysis of where your company is currently maintaining compliance and where they are not, as well as detailed instructions on how your company will take steps to achieve greater compliance.
It’s important to get a comprehensive look at all the Personally identifiable information (PII) in your organization, where it is stored, and how it is used. This should be a thorough search across all your networks and devices, not just where you think that data resides.
After mapping personal data through your organization, you will need to review any existing policies, protocols, or procedures you have in regard to data protection. You may need to revise existing procedures and update your website and company materials to reflect these changes.
In particular, you will need to see if your PII protection policies are in line with the CCPA, including notices for opt-out and opt-in rights. You’ll want to plan how to respond to requests from consumers who are requesting to access or delete their personal information. Make sure any and all protocols are documented in a safe, secure space that appropriate employees can refer to if needed.
You’ll want to ensure that the employees who are responsible for handling customer inquiries regarding privacy rights and those who have access to the personal data stored on your computers, servers, and cloud are aware of the CCPA requirements and the privacy protocols your company has in place. Offer training sessions for those who need it and send out information on any changes that are made to the CCPA as time goes on.
Having appropriate safety measures in place to secure the personal information your organization contains is critical in maintaining compliance. Not only should you have a security policy in place, but encryption and de-identification methods should be used when appropriate. We also recommend utilizing data discovery software. With something like a PII Scanning Tool, your organization can be efficient in identifying all of the data stored on your computers, servers, and cloud and begin to take the appropriate steps towards maintaining CCPA compliance.
Companies face the immense challenge of obeying CCPA rules while still leveraging data legally to catalyze business growth. Such objectives are nearly impossible to accomplish without precise data discovery.
Data discovery provides solutions to vital questions, including:
By incorporating data discovery tools, your company can quickly and proactively locate, track, and trace data, whether it’s stored in the cloud, on employee devices, or within network repositories.
You’ll greatly benefit from organized databases capable of finding information through metadata indexing, keyword searching, and classification.
The best current data discovery tools will also keep your company CCPA compliant. Compliance software has built-in intelligence that accounts for regulations and alerts processors when an input or output is off base. Ultimately, it provides automated efforts to help identify the source of data breaches in a timely fashion.
Guarantee your data protection by contacting Ground Labs, a data solutions company entirely devoted to helping organizations fulfill compliance standards. On servers, on desktops, or in the cloud, we’ll keep your ePHI secure.
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.