CCPA: At the Crossroads of Cybersecurity & Privacy
If you’re familiar with the world of cybersecurity and privacy, you probably know that the California Consumer Privacy Act (CCPA) is probably the most groundbreaking privacy law ever in the United States. Signed into law on June 28, 2018, CCPA has set a new world of cybersecurity compliance into motion, and it shows no signs of slowing down soon.
Cybersecurity and privacy, though different, overlap in several ways. Privacy in the tech world refers to safeguarding a user's identity. However, in order to keep user data private, tech companies are required to put cybersecurity measures in place to keep this user data secure. It's possible to have security without privacy, but privacy without cybersecurity is impossible. With breaches on the rise, to keep users safe, investing in and understanding cybersecurity is a must.
Today, we’re going to discuss the ins and outs of the California Consumer Privacy Act (CCPA), and what you need to know about this relevant new law.
Let’s dive in.
What is the California Consumer Privacy Act?
Here at Apptega, we focus on extending robust cybersecurity to companies of all sizes. Through our comprehensive services, we help our clients build, manage, and report their cybersecurity and compliance with one simple platform.
As security compliance becomes more complex, Apptega makes it 10x more efficient, while also providing organizations with unprecedented visibility into all cybersecurity data. Recently, we hosted an expert panel surrounding CCPA, what it is, why it matters, and how cybersecurity experts are using it in the modern digital world.
Here’s how DataPrivacyMonitor.com defines CCPA law:
The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1, 2020. In the wake of the CCPA’s passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level. Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information.
Who Does CCPA Apply to?
CCPA is a sweeping law, and it has far-reaching impacts on many businesses and business activities. Many of the impacted parties were not formerly subject to US privacy rules and regulations. Contrary to what the name might suggest, the law is not limited to companies with a physical operation in the U.S. Instead, it applies to any for-profit entity that meets the following criteria:
- Has a gross annual revenue of $25 million or more
- Annually purchases or receives for commercial purposes, or sells or shares for commercial purposes, personal information for 50,000 or more consumers, households, or devices in California
- Or generates 50% or more of their annual gross revenue from selling personal information
In the words of DataPrivacyMonitor.com, “The CCPA also applies to any entity that (1) controls, or is controlled by, a business that meets the above criteria, and (2) shares common branding with that business.”
How is “Personal Information” Defined?
The CCPA addresses the sale, trade, or transfer of “personal information” specifically, but that’s a general term that many companies may find it challenging to define. Here’s how Jodi Daniels, Founder and CEO of Boutique Data Privacy Consultancy Red Clover Advisors defined the CCPA’s “personal information” regulations during our expert panel:
“Personal information in CCPA is very similar to GDPR if you're familiar with that. If you're not, it extends the definition beyond what many of us think of when we think of personal information. We often think name, email, date of birth, financial information, health information, but the CCPA also includes all online identifiers, such as cookies, IP address, browsing information, and more. If you're collecting device information, all of that is considered personal information....This law really came on the heels of the Facebook and Cambridge Analytica scandals. Today, the definition basically extends to selling, renting, releasing, disclosing, disseminating, making available or otherwise communicating orally, personal information for other valuable considerations.”
Beyond that, CCPA poses some additional personal information concerns for companies that handle such data. These include:
- CCPA requires companies with join partnerships or who are sharing emails with third parties to comply with the same regulations
- CCPA-mandated companies have to allow users to opt-out and must offer several notification methods
- CCPA-mandated companies cannot discriminate against users who choose to opt-out of the sale of information
3 Tips for Ensuring CCPA Compliance
During our recent expert panel, we polled our users on how ready they perceived their organizations to be for CCPA. Only 2% of respondents reported that they had fully implemented all requirements, while 23% said that they still needed to implement. That means nearly a quarter of respondents don’t even know if they need to implement the requirements.
Obviously, there’s a massive need for guidance and structure when it comes to CCPA implementation. Here are a few tried-and-true tips for companies who want to prepare for CCPA, starting now:
1. Understand Whether CCPA Applies to Your Business
If your business meets the criteria laid out earlier in this post, you’ll have to implement CCPA regulations. If your company does not meet any one of these three thresholds, your business won’t be affected by the law and is not legally required to adhere to these requirements. Despite this, make sure you’re keeping up with digital consumer privacy laws, as they change frequently, and your business may be required to abide by them at some point.
2. Understand Platforms as They Relate to Your Web Properties
According to the CCPA law, the owner and operator of a website that allows the collection or sharing of data is responsible for the security of all personal information collected, sold, or shared on the site, including the actions of third-party platforms loading in through other third parties.
With this in mind, be sure to audit your web applications regularly. You should understand how they are being loaded and what they do with data. This makes it easier to comply with CCPA guidelines.
3. Develop a Plan to Respond to Data Subject Requests
As consumer privacy concerns become more rampant in the digital world, it’s critical for you to begin building out your data subject access request plan. This is especially important, given that CCPA requires a 12-month recall period. While there are many different ways to respond to this, the most important thing is to focus on something that allows for both consumer privacy and compliance.
Why Comply With CCPA Law?
Wondering why it’s so essential to comply with CCPA law? Here’s what Jodi Daniels said during our expert panel:
“Why should we comply with CCPA? Well, there are regulatory fines. You could have up to $2,500 per violation, $7,500 if it was an intentional violation. There is also an individual right of action. Essentially, if you have a data breach where essentially there were no reasonable security measures employed, you were basically negligent. In that situation, individuals could come after the company at $100 to $750 per infraction per record.”
The Future of CCPA Law
CCPA law is here to stay, and it’s changing the way we handle data security online. While many companies aren’t sure where to start with compliance or understanding, our expert panel offered an excellent framework for companies just setting out.
If you need additional assistance with CCPA compliance, download our CCPA compliance checklist or schedule a call with one of our specialists.