On June 28, 2018 the governor of California Jerry Brown signed into law with Assembly Bill No. 375 the California Consumer Privacy Act (CCPA), making California the first U.S. state to pass its own data privacy law. Last August, my colleague Ashvin Kamaraju wrote a blog shortly after this took place.
The CCPA, which will come into effect on Jan. 1, 2020, grants to the state’s over 40 million people a range of rights comparable to the rights given to European citizens with the General Data Protection Regulation (GDPR)--the two legislations are not that similar, but they do share some general features, GDPR is an omnibus law, while CCPA is more limited.
What is considered Personal Information under the CCPA
The CCPA uses a very broad definition of what constitutes as Personal Information (PI), defining PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A key variation with GDPR is the word “household” which adds more complexity to the implementation of the Act. For example, data collected by an entity may not be associated with an individual but could identify a household.
The CCPA also lists examples of what could be defined as PI that include commercial information (“records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”), Internet or other electronic network activity information (such as browsing and search histories), education information and audio, electronic, visual, thermal, olfactory, or similar information.
Personal Information excluded by the CCPA
Similar to GDPR, the CCPA excludes from its scope information that is publicly available. Under the CCPA publicly available information is defined as “lawfully made available from federal, state, or local government records, if any conditions associated with such information.”
To give some examples, the CCPA excludes de-identified information, PI used for aim different from the one for which the information was collected and medical data collected by an entity governed by California’s Confidentiality of Medical Information Act or HIPAA.
A brief look at CCPA’s Scope and Application
The CCPA applies to for-profit entities that both collect and process the PI Information of California residents and do business in the State of California, without a physical presence in California being a requirement. Entities must meet at least one of the following criteria in order for the CCPA to apply:
(1) They generate annual gross revenue in excess of 25 million dollars.
(2) They annually buy, sell, receive for commercial purposes, or share for commercial purposes the PI of 50,000 or more of California residents.
(3) They must derive at least 50 percent of its annual revenue by selling the PI of California residents.
Non-profit organizations and small companies that don’t meet any of the three above criteria are not required to comply with the CCPA.
Also covered by the CCPA is any association of any such entity that operates under the same label, and there are also requirements for certain types of service providers and third parties processing data on behalf of a regulated business.
What CCPA means for California residents
The CCPA governs the PI of California residents (or consumers) granting them the following rights over their PI data:
(1) The right of Californians to know what PI is being collected about them.
An entity must notify consumers on what and how PI is being collected and used.
(2) The right of Californians to know whether their PI is sold or disclosed and to whom.
An entity must notify consumers if their PI is being shared or sold with a third party and who is this third party.
(3) The right of Californians to say no to the sale of PI.
Consumers must be presented with an easy, simple and straightforward process to opt-out of having their PI sold to a third party, with special provisions taken for consumers under the age of 16 (who must opt-in to the sale of their PI data) and under 13 (the parent or guardian of the child must give consent to the sale of their PI data).
Also, entities under the CCPA must post a “Do Not Sell My Personal Information” link on their websites allowing consumers to easily exercise their right of opting-out.
(4) The right of Californians to access their PI.
Consumers have the right to request from entities to access, make corrections or delete their PI data, and entities must always inform consumers that they have these rights and comply with these requests.
In case of a deletion of PI data request entities are also required to ensure the consumer’s PI is also deleted by third-party partners with whom they may have shared that consumer’s PI.
There are some exceptions to this deletion requirement though, such as if the PI is needed to complete a financial transaction.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
An entity cannot discriminate against a consumer who exercises his or her rights, and the CCPA prevents the entity from charging the consumer a fee because he or she exercised a right under the CCPA. However, there are provisions in the Act that state that an entity is allowed to offer consumers financial incentives to allow PI collection.
Finally, consumers have the right to file individual or class action lawsuits, and can be compensated with between $100 to $750 in statutory damages per incident, or actual damages.
What the CCPA means for businesses and what to do as a CIO
To make things a bit more complicated for entities required to comply with the Act, the CCPA states that the California Attorney General must publish regulations (and explanatory notes) between Jan. 1, 2020, and July 2, 2020 and that that the Attorney General is not allowed to bring enforcement actions under the CCPA until the earlier of six months after the final regulations are published.
The CCPA has already been updated once, and will probably go through additional updates before it takes effect and at this point, entities must be prepared so they are fully compliant with the CCPA’s many requirements, including the changes needed based on the final regulations.
CCPA requires that businesses must explain to consumers their rights under the CCPA at the time their PI is collected. This informing process should include the categories of PI collected, how that PI is used, and the categories of PI the business has shared or sold to third parties (and who these parties are) in the last year.
The first step for a business to prepare for compliance is to start mapping the PI it collects, the ways it collects it, who has access to it, if it is shared with third parties and the locations where the information is stored. Then policies and procedures must be created or restructured and also the company’s website must be updated to meet CCPA requirements.
Exploring the possible legal liabilities, consumers under the CCPA have the right of legal action if their PI “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Fines under the CCPA are very high and businesses failing to comply are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Also, once an entity is notified by the attorney general for a violation, it has 30 days to become compliant to avoid penalties.
Looking into to the future
To conclude my thoughts, 2018 was a historical year for the data privacy world, first with the enforcement of the GDPR, a legislation which led a lot of countries around the world to rethink their policies on the protection of privacy of its citizens, and then with the CCPA.
Currently, every U.S. state has a data protection law and potentially each will have their own version of privacy laws in the future. Add to this an ever-increasing set of global data security and privacy regulations. This creates a complex web of rules and regulations that a CISO needs to navigate to protect their company. The problem becomes ever more complex with the parallel process of digital transformation, in which Personally Identifiable Information (PII) flows across traditional on-premises, big data, and cloud environments. Where is a CISO to begin?
Here are a few first steps:
(1) It is important to work closely with IT, policy teams and business lines to identify or discover the types of PII data, where it resides today and in any future digital transformation plan.
(2) Identify the regulations that will need to be met, a good starting point is reviewing the Thales Data Security Compliance and Regulations eBook.
(3) Fortunately, there is a lot of overlap in data security and privacy requirements. When you boil these down for your organization into technology and process requirements, you’ll find that encryption, tokenization, strong key management, and access controls can satisfy many of the privacy requirements to protect your organization from breach notification actions.
(4) Identify as few as possible strategic data security platforms and vendors to help you meet these requirements. It will be expensive and time consuming to allow your organization to engage in data security tool sprawl.
The Thales data security experts and architects are here to help. We have aided companies around the world to satisfy current regulations and prepare for future ones. In the meantime, read our white paper, How to Prepare for the California Consumer Privacy Act.