What is the California Consumer Privacy Act (CCPA)?

The EU GDPR took the world by storm, upping the compliance ‘ante’, causing other countries to follow suit in protecting consumer privacy. While the United States hasn’t implemented any federal regulation of this sort, many states have begun to implement their own regulations at the state level. For California, the clock has already begun ticking with the California Consumer Privacy Act (CCPA), a GDPR like regulation with a compliance timeline of January 1^st, 2020.  

The CCPA introduces sweeping legislation providing consumers with new rights in regards to the collection of their personal information.  The regulation has three primary goals to provide consumers

1. The knowledge of what type of personal information large corporations are collecting related to them
2. The right to control whether a business is allowed to share or sell one’s personal information
3. The right to protections against businesses which are not taking the appropriate measures to secure consumers’ privacy

Important Definitions

There are several definitions set forth within the CCPA, but of the most important are the concepts of a business, consumer, and personal information. It is integral to understand what constitutes these categories to truly understand the scope of the CCPA.

The CCPA defines an applicable “business” as any entity that operates for the profit or financial benefit of its shareholders that collects consumers’ personal information that does business within the State of California that meets one or more of the following thresholds

• Has an annual gross revenue in excess of $25 million
• Annually buys, receives or sells the personal information of 50,000 or more consumers, households, or devices.
• Derives 50% or more of its annual revenues from selling consumers’ personal information

The definition of a consumer is rather vague but is defined as a natural person who is a resident of California, with a resident being defined as one of the following:

• An individual who is in the state for other than a temporary or transitory person
• An individual who is domiciled in the state who is outside the state for a temporary or transitory purpose

The definition of personal information is quite broad, being defined as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device, including, but not limited to:

• Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
• Any categories of personal information enumerated in Civil Code 1798.80, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
• Characteristics of protected classifications under California or federal law
• Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies
• Biometric data
• Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Psychometric information
• Professional or employment-related information
• Inferences drawn from any of the information identified above
• Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

Refer to the initiative for a full list of relevant definitions

Consumer Rights Defined in the CCPA

The purpose of the CCPA as stated in the initiative is to ‘further the constitutional right of privacy by giving consumers an effective way to control their personal information’. This is achieved through the provision of several consumer rights.

• Right to Access: California consumers will have the right to request that a business that collections personal information about the consumer disclose to the consumer the types of personal information that has been collected, the sources from which this information was collected, the purpose for collecting this information, the categories of third parties with whom this personal information has been shared, the specific pieces of personal information that has been collected in regards to the consumer, and the categories of personal information that the business has sold to third parties
• Right to Opt-Out: If for any reason a consumer decides they do not desire to have their personal information sold, they have the ‘right to opt-out’, disabling businesses from selling their information.
  
• Right to Deletion: Consumers have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request
  
• Right to Equal Service and Price: In the case that a consumer has exercised any of the rights granted to them through this legislation, businesses cannot discriminate against the consumer by denying goods or services, charging different rates for goods or services, or providing a different level of service to the consumer.

How Can Businesses Prepare for CCPA Compliance?

The CCPA requires businesses to apply strict controls to ensure consumers can exercise their rights effectively. In order to become and remain compliant with the CCPA, organizations will have to follow common core principals as other similar compliance standards:

• Know where personal information exists: Not only should organizations have an understanding where there most critical data assets exist, but should also understand which of that data is personally identifiable.
• Employ strong Data Access Governance controls: While knowing where this type of information exists is the first step, ensuring that the right controls are in place to prevent unauthorized access, and controlling data growth by removing unnecessary data will be key to ensuring consumer data privacy
• Deploy the necessary systems to respond to consumer requests: Businesses will have to provide the proper means for consumers to leverage the rights granted to them through the CCPA, including making available two or more methods of submitting requests for information required, as well as being able to respond to these requests in a timely manner.

Leveraging cybersecurity software such as that offered by STEALTHbits can streamline some of these necessary functions by providing the means to

• Discover the repositories that contain data assets
• Determine which of this data is personally identifiable
• Ensure that the proper data controls are in place by providing an understanding of who has access to what, and how they are leveraging that access
• Monitor for real-time threats
• Deploy policies to prevent unauthorized access to critical or sensitive information

To learn more about how STEALTHbits addresses CCPA compliance, visit https://www.stealthbits.com/california-consumer-privacy-act-ccpa-compliance