'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
After the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next data privacy regulation that had a significant impact for organizations all across the world.
The CCPA is a data privacy law that mandates companies to become better custodians of their consumers' personal information and is often seen as the U.S. counterpart of the GDPR. The law came into effect on January 1, 2020 and has been enforced from the 1st of July 2020.
Here is an overview of this critical privacy regulation.
Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:
The privacy policies of businesses must necessarily specify consumers' erasure rights, collections and sales/disclosure of personal information, opt-in/opt-out rights for data sales, and privacy-based discrimination restrictions, consumer request metrics.
The right to access allows consumers to request organizations to disclose the following personal information:
The CCPA has given an expanded definition for the term 'Personal Information, which protects under the statute. Any information that identifies a particular consumer or household is considered 'Personal Information’.
THIS INCLUDES A HUGE VARIETY OF DATA SUCH AS:
(real names, alias, residential address, IP, email address, account name, social security number, driver's license number, passport number, etc.);
(records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, etc.);
Information that the person presents can not be found publicly. This does not apply to publicly accessible educational information on the individual.
reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in possession of the organization.
The only exceptions are publicly available information (made public by federal or state authorities) or de-identified consumer information.
If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.
Has $25 million
in gross annual revenue;
Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year;
At least 50% of their annual revenue is generated from selling California residents’ personal information.
Businesses on which the CCPA applies also include any entity run or controlled by a business or shares common branding with a business. No distinction has been made between domestic and foreign entities, and a foreign parent company with a controlling interest in a U.S.-based subsidiary would itself also be subject to the CCPA.
There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:
Health providers and insurers that are already covered under HIPAA
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
The CCPA is based on an opt-out cookie consent regime. Under the CCPA, the following are the requirements for a cookie banner:
Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:
The law has come into force from July 1st, 2020, and it is expected that CCPA and other data privacy litigations will only increase in the coming years. The CPRA has already amended the CCPA and increased obligations on businesses and protections to consumers starting from 2023.
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.Get the Book
“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.
Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.
Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.
The CCPA stands for California Consumer Privacy Act.
Nearly 500,00 organizations worldwide have been affected by the CCPA.
According to IAPP research, 95% of businesses are not prepared for the CCPA.
CCPA exempts organization complying with the following:
Securiti uses award-winning automation, machine learning, and AI to help reduce costs, liabilities, and human effort while helping your business comply effortlessly.
See how easy it is to manage privacy compliance with robotic automation.