The California Consumer Privacy Act was signed into law in 2018 and went into effect on January 1st, 2020. With the EU’s GDPR paving the way, CCPA has a significant impact on how enterprises manage security and compliance for user data, as well as how data breaches are handled.
Simply put, the CCPA gives residents of the state of California greater control over their personal data, requiring companies to be more transparent about the data collected and stored about consumers. Businesses with practices in place to comply with GDPR are at an advantage, however, CCPA has some key differences that should be addressed separately from GDPR.
We’ve discussed the CCPA before, however, there have been several recent amendments in addition to the various iterations of these regulations since the original proposal.
As of the time of this blog post, these changes are being finalized and will start being enforced by the California Attorney General (AG) on July 1st, 2020. Now is the perfect time to make sure your organization is CCPA compliant.
Consumer Rights Under CCPA
At its core, the CCPA grants consumers with the following new rights:
- To know what personal information is being collected about them
- To know whether their personal information is sold or disclosed and to whom
- To opt-out of the sale of personal information
- To access their personal information, and request it be deleted
- The right to equal service and price, even if they exercise their privacy rights
The right to deletion will be familiar to anyone exposed to GDPR’s “right to erasure” or “right to be forgotten”.
Businesses will also be prohibited from selling the personal information of consumers aged 13-16 unless the consumer specifically opts-in. Consent from a parent or guardian is also required if the consumer is under the age of 13.
It’s essential for all businesses with ties to California, even if seemingly indirect, to know where personally identifiable information (PII) is, and how to relate each piece of information to specific consumers.
Essential CCPA Compliance Terms
There are many important definitions regarding CCPA, including:
Personal Information – “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes names, alias’, physical addresses, online usernames, IP addresses, biometric information, geolocation data, SSNs, driver’s license numbers, passport numbers, employment information, and more that’s considered “other similar identifiers”.
What’s especially interesting is that this can include inferences drawn from all this information, including consumer profiles reflecting preferences, characteristics, trends, behavior, etc.
Consumer – “A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”
Essentially this covers everyone who lives in California, even if they are temporarily out of the state. However, visitors to the state of California are not covered by the CCPA (ex. visit is of temporary or transitory nature).
Collect – “Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”
Sell – “Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
These are very broad definitions, that could be covered by larger transactions that do not obviously include the sale of user data and personal information (for example, website cookies). Business can’t be too careful under CCPA legislation.
Business – “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information…”
This definition of “business” goes on to outline which businesses are affected by CCPA, which we’ll outline in the next section.
Who the CCPA Affects
The CCPA’s domain can have a wide reach, including if your business doesn’t directly deal with the state of California in an obvious capacity. If your organization has collected any data from a California resident (for example, through website cookies) then you may need to comply with CCPA.
CCPA affects for-profit businesses that collect personal information from CA residents and meets one of the following:
- Has an annual revenue of at least $25 million
- Holds personal information from at least 50,000 individuals or households
- More than half of the annual revenue is generated by selling personal information
There are some exemptions, although they can be complex and other aspects of a business may force compliance with CCPA regardless. Exemptions include:
- Financial institutions subject to Gramm-Leach-Bliley or CalFIPA regulations
- Clinical trial information, subject to the Federal Policy for the Protection of Human Subjects
- Credit reporting agencies subject to the Fair Credit Reporting Act
- Health providers subject to CMIA and HIPAA regulations (PHI/ePHI)
- Certain information covered by the Driver’s Privacy Protection Act (DPPA)
- Certain employee information used within the scope of the employer-employee relationship
- Certain business-to-business (B2B) relationships
- Certain vehicle warranty and recall information
Despite these exemptions, and with other privacy regulations like EU GDPR in mind, businesses should still implement protections for user data (especially PII) and understand where data resides as well as who has access to it. The benefits go far beyond legal requirements such as CCPA and EU GDPR.
CCPA vs. EU GDPR
At a high level, the EU’s GDPR has a broader scope than the CCPA, both in terms of geographical and legal scope. For example, GDPR applies to private companies, non-profits, public bodies, and public institutions. By comparison, the CCPA affects for-profit businesses that meet the aforementioned requirements.
Another key difference is regarding consent. For many purposes, GDPR pushes organizations towards requiring opt-in for data collection rather than requiring opt-out like the CCPA does.
When it comes to exemptions, the CCPA is more generous and includes specific, categorical examples for scenarios where CCPA does not apply. GDPR exemptions are far fewer and less specific.
Finally, the definition of a “consumer” is broader under GDPR, with personal data being referenced in relation to “data subjects” that have less well-defined citizenship/residency requirements.
How CCPA Compliance is Enforced
Failure to comply with CCPA regulations can result in various fines:
- For noncompliance, companies can be fined $2,500 per violation (if unintentional) or $7,500 per violation (if intentional).
- In the event of exposed personal information due to a breach, consumers gain the right to sue for $100 – $750 per incident. However, this value can increase if actual damages exceed $750.
The California AG has even issued multiple advisories to consumers to know and exercise their new rights under CCPA (especially during the COVID-19 public health emergency), and many consumers have already started acting.
CCPA-related lawsuits in 2020 include:
- Barnes v. Hanna Andersson LLC and Salesforce.com Inc. (4:20-cv-00812)
- Sheth v. Ring LLC (2:20-cv-01538)
- Burke v. ClearviewAI, Inc. (3:20-cv-00370)
- Cullen v. Zoom Video Communications, Inc. (5:20-cv-02155)
Businesses will have a chance to remediate CCPA violations within a 30-day window before the California AG may file an enforcement action.
CCPA has certainly been given life and is here to stay. Businesses can and will be tested to prove CCPA compliance, ranging from simple consumer Data Subject Access Requests (DSAR) to compliance and disclosure in the event of a complex, full-scale data breach.
How to Achieve CCPA Compliance
Businesses regulated under CCPA need to make sure consumers can exercise their new rights, cannot hinder consumer rights, cannot charge for services related to consumer rights, and cannot limit the quality of service for consumers who have exercised their rights.
Requested (required) information must be disclosed and delivered to the consumer within 45-days of the initial request and must include the 12-month period preceding the request. 90-day extensions for disclosure are available, although not always granted.
Like preparing for GDPR compliance, businesses should follow certain core CCPA compliance standards:
Know Where Personal Information is Located
Locating and classifying user data is an important first step towards CCPA compliance, as is continuously auditing for this type of information. When possible, encryption of data at rest is also a useful step towards protecting personal information in the event of a data breach.
Archive or Remove Stale Personal Information
If data is no longer needed for business or regulatory purposes, it should be securely archived or deleted. This lessens the impact a potential data breach could have, as less user data is exposed.
Audit and Control Access to Personal Information
Organizational users should only have access to data that’s necessary for their role’s functions. By limiting data access to essential workflows and users, less data is exposed via open access and may be more difficult for attackers to reach in the event of a breach.
Have Systems in Place to Respond to Consumer Requests
Businesses need to be able to quickly respond to consumer DSAR requests, gather all personal information associated with that consumer, provide that information to the consumer, and potentially delete that information.
This also includes opt-out requests for the sale of personal information, which should be easily accessible via a “Do Not Sell My Personal Information” link on the company website. Users should also be informed of cookie usage and data collection on the site as soon as they arrive and should be required to agree to the policy before proceeding.
Regarding disclosure, businesses must make available to consumers two or more designated methods for submitting requests for information required to be disclosed. This includes, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address.
Finally, it’s also a good practice to maintain records of consent for users under the age of 17 as well as opt-out and data deletion requests.
How Stealthbits Helps with CCPA Compliance
In order to comply with CCPA requirements, Stealthbits provides a range of capabilities that allow customers to identify, secure, and report on consumer data and Personally Identifiable Information (PII).
StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, includes:
Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s privacy data footprint.
Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy.
Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with CCPA and a myriad of other regulatory standards.
For the CCPA definition of personal information, Stealthbits can help with that as well:
- Automatically discover where unstructured and structured data exists across your network
- Examine the contents of 400+ file types (including images using OCR) stored within Network File Shares, SharePoint Sites, Cloud Storage platforms, and Exchange, as well as Oracle and SQL Server databases
- Leverage over 350 pre-configured criteria sets aligning to Personally Identifiable Information (PII)
- Clean-up stale files that no longer need to be managed or maintained to reduce overall data scope and risk
- Classify (tag file metadata) and/or move, delete, modify permissions, and integrate with other technologies to automate manual processes
The CCPA grants consumers, “various rights with regard to personal information relating to that consumer that is held by a business”, and requires businesses to, “implement and maintain reasonable security procedures and practices” to do so. Stealthbits can help:
- Understand access rights, permissions, activity, data sensitivity, ownership, and file metadata across unstructured and structured data sources
- Automatically implement a least privilege access model, ensuring access rights and permissions are limited to only what users need
- Monitor and secure Active Directory to prevent unauthorized access to data resources and mitigate risks associated with account compromise and privilege escalation
- Maintain a full, searchable audit trail of all file access activities, Active Directory changes, account authentications, and more for forensic investigations and auditors
Finally, Stealthbits can also help with legal breach notification rules via StealthDEFEND’s real-time threat detection and response:
- Detect and alert on abnormal user behavior, suspicious activities, and attempts to compromise account or data security in real-time
- Integrate with existing SIEM solutions for consolidated alerting and advanced correlation with other network technologies
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.