By Shai Canaan | Principal Security Consultant at Nettitude
The state of California will start enforcing the California Consumer Privacy Act (CCPA) Assembly Bill 375 (AB 375) on July 1st 2020. This California privacy law legislation is, as its name suggests, privacy specific and aims at protecting the information of residents of the state of California - or as its language refers to them, “California consumers”.
CCPA was signed into law in June, 2018, and went into effect in January, 2020. CCPA grants California consumers rights and control over their personal information, including:
- The right to know
- The right to delete
- The right to opt-out
- The right to know
It is the most comprehensive U.S. state-level data protection law to date, and it is rigorous in coverage and details. It applies to for-profit entities who collect consumer data and it demands rights and obligations in relation to personal information (PI); the CCPA has “teeth” - failure to follow the CCPA will subject violators to both fines and civil action.
For those of us who had to work with General Data Protection Regulation (GDPR) from the European Union in the past two years, CCPA may result in painful memories. Much of the CCPA leans heavily on those same GDPR concepts.
There are concrete steps you can take to adhere to this law, and there are broad CCPA concepts you will need to interpret to your unique business context. If you are already GDPR aware, then the leap into CCPA territory will not be a big one, but it is not a GDPR clone.
CCPA is not “check the box” friendly; you will need to be proactive and your business may need to evolve towards transparency, and quickly. If your business falls under the category of a data broker, your “to-do list” will need to expand to include the new Data Broker registration law - AB 1202, which is related to the CCPA and mentioned within it.
You can trust that the most rigorous privacy regulation in the US will also look at your cybersecurity – the act requires defined cybersecurity practices. Your cybersecurity program may already include elements consistent with adherence to the CCPA, but compliance with CCPA is not your only goal. Your main ongoing mission is for your business to protect the consumer data you store. Such protection requires sound cybersecurity strategy, risk awareness, and technical capabilities.
The tone of the CCPA is aggressive. Unusual for an Act, it cites the March 2018 misuse of personal data by Cambridge Analytica. The CCPA also references recent congressional discussions, highlighting that any personal information shared on the internet can be subject to misuse and theft.
It means business and it wants you to know that it targets two dimensions:
What is CCPA
The act gives Californians the right to consent to the use of their data, to discover who is using their data and for what purpose, and to opt-out at any time. The onus is on your business to track and produce that data upon request; additionally, protection of the data is essential.
Your business will need to review its consumer data and privacy practices - determining what types of data it collects, how much data it has and where it resides, whether it tracks the origin of collected data, how long it retains consumer data, and its ability to comply with retention or deletion requests.
Who is in scope for CCPA
The law talks about for-profit businesses who collect CA consumer data, it considers:
- personal information to include data that relates to the consumer as well as their household (spouse and children)
- businesses that have annual gross revenues over $25 million, possess personal information of 50,000 or more consumers, households or devices (per year), or earn at least 50 percent of their annual revenue from selling or sharing consumers’ personal information
Not in California or the US? The CCPA doesn’t stop at the California state borders. Companies in the US and around the world that collect or sell data of California residents or households may also need to comply.
Are you wondering if B2B is in scope? Yes.
The act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”.
Pay attention to the word “capable” - information that is "capable" of being associated with, or that could reasonably be linked to.
The Act’s definition of Personal Information (PI) is worded broadly, it includes information that can identify a household, not necessarily a consumer. It provides examples of personal information which indicates how wide-ranging the definition of PI can be. For example - the PI definition includes unique personal identifiers, which include device identifiers, online tracking technologies and “probabilistic identifiers” which are identifiers based on PI that probably identify a consumer or device.
10 provisions you need to look at
The CCPA details the following rights for consumers:
- Right to know which data is collected by a business on consumers, free of charge.
- Right to delete their data.
- Right to say no to the sale of their information.
- Right to sue companies who collected consumer data, didn’t adequately protect it and where that data was stolen.
- Right not to be discriminated against if they instruct a company not to sell their personal information.
- Right to be informed of what categories of data will be collected prior to its collection, and to be informed of any relevant changes.
- Opt-in before sale of children’s information.
- Right to know the categories of third parties with whom data is shared.
- Right to know the categories of sources of information from whom the data was acquired.
- Right to know the business or commercial purpose of collecting the information.
Amendments to the rescue
CCPA’s creation was not a static process; over the past year requirements were constantly amended and changed. The following are a few recent amendments which clarify and somewhat reduce the CCPAs strain:
- Exemption of employee data and emergency contact data until January, 2021.
- Clarification that identifiers specified in the CCPA are not considered automatically to fall under the definition of “personal information”; only if they can be associated with an individual or a household.
- Businesses that operate exclusively offline and have a direct relationship with a consumer from whom they collect personal information need only provide an email address for submitting requests to exercise various CCPA rights.
- Exclusion of deidentified and aggregate information from the definition of personal information.
- B2B exception until January, 2021 for certain types of information collected.
- Data brokers are required to register as a data broker and provide certain information to the attorney general.
“reasonable security” = cybersecurity
The term “reasonable security” is repeated four times in the Act:
- “A business shall use reasonable security measures when transmitting personal information to the consumer.”
- “The business shall implement and maintain reasonable security procedures and practices in maintaining these records.”
- “A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.”
- “An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information.”
The obligation for a business to implement proper cybersecurity is not directly found in the CCPA, however, “reasonable security” is established elsewhere in California code requiring implementing and maintaining reasonable security procedures and practices appropriate to the nature of the information a business processes.
Businesses should consider including in their information security programs elements from industry-recognized information security frameworks, such as the CIS, NIST and ISO 27001. Businesses which may have already implemented cybersecurity controls through compliance with other information security requirements such as the GLBA, the NYDFS Cybersecurity Regulation or with PCI-DSS, GDPR, NY SHIELD, etc, will recognize that those efforts are most probably in line with CCPA cybersecurity elements.
Where to start
To begin your CCPA compliance project, you should review your legal obligations with an expert attorney specializing in such legislations.
Once you have established that you must abide by the CCPA, the following steps follow:
- Identify and map the California resident’s personal information you collect, use, and sell;
- Create policies, procedures, and processes to manage deletion, access, disclosure, and requests, and avoidance of discriminatory conduct.
- Inform, educate and train your employees to effectively comply with such policies, procedures, and processes.
- Review your cybersecurity efforts and establish if you need to only adjust or perhaps start a new program. Act on this decision proactively.
- Identify your data assets including on premises, cloud, and third parties and understand if you are adequately protecting them - if not, apply proper controls.
- Test your environment to confirm criminal actors can’t exploit existing vulnerabilities you might have overlooked.
When things go wrong - Breach
The consumer data you store and control must be properly protected; should your business become the victim of a cyber-attack, fraud, or mistake (all three may constitute a breach) you will see the teeth of the CCPA, but it goes beyond that.
Businesses whose consumer data becomes breached can be required to pay damages ranging from $100 to $750 per California resident, per incident, or actual damages; whichever is greater.
The California attorney general can also penalize a business for violations of the CCPA. Examples include a business’s failure to respond to consumer requests to view or delete personal information, or its unauthorized sale or sharing of their personal information data.
The attorney general may impose a civil penalty for each violation:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
Example: a data breach affecting 10,000 California consumers has a potential exposure of $7.5 million.
However, it also makes businesses liable to civil class action lawsuits and paying restitution to California residents in case of data theft or a security breach.
We mentioned the similarity to GDPR which allows for a 72-hour window for breach notification - the CCPA does not provide such window. You must notify affected residents “in the most expedient time possible and without unreasonable delay” and “immediately following discovery” of the breach.
If the breach affects more then 500 CA consumers, a copy must be also sent to the attorney general.
The CCPA, the most rigorous privacy regulation in the US, is a game changer. The CCPA introduces data responsibility which US companies must now employ. Although such responsibilities have come a long way in the past decade, the general attitude of US businesses to data privacy has often been mild. CCPA has awoken the privacy beast, and it sets a very high bar for businesses not accustomed to such discipline.
If your business controls the personal data of California residents and your business matches the criteria the CCPA specifies, you need to implement a program to fully identify and understand the data assets you possess. You must recognize the legal responsibilities and business processes to change and employ, recognize the cyber threats you are facing, and calculate the related risk factors. Finally, you must then implement a customized plan to adhere to the CCPA, and defend your environment and data.
Nettitude services aligned with this post:
- ISC consulting around security frameworks, data mapping, policies and procedures
- Vulnerability scanning
- Penetration testing