'Most Innovative Startup 2020' by RSA - Watch the video
Learn MoreThe California Consumer Privacy Act (CCPA) is a data privacy law that mandates companies to become better custodians of their consumers’ personal information.
Here is an overview of this important new privacy regulation.
Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:
The right to notice requires an organization to provide consumers with notice of the company's practices regarding the collection, use, sale, and sharing of personal information.
Data containing personal information of minors cannot be sold by a business unless the minor (if aged between 13 to 16 years of age) or the Parent/Guardian (if the minor is aged below 13 years) opt in to allow this sale. Businesses can be held liable for the sale of minors’ personal information if they either knew or wilfully disregarded the status of the consumer as a minor and the minor or Parent/Guardian had not willingly opted in.
The right to access allows consumers to request organizations to disclose personal information collected within the last 12 months, sources from where the information was collected, business or commercial use of information, categories of third parties with which the information is shared, categories of personal information that was sold or disclosed by the company, etc. all within a 45 day period.
Even when consumers choose to allow a business to collect and sell their personal information, businesses’ must sign written contracts with service providers and/or any other entities who process the data on behalf of the business or are sold the data by the business for a specific business purpose.
The privacy policies of businesses must necessarily specify consumers’ erasure rights, collections and sales/disclosure of personal information, opt in/opt out rights for data sales and restrictions on privacy based discrimination.
The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Businesses are allowed to vary their services or change the price of goods and services, if the difference in service or price is reasonably related to the value of the consumers’ personal information to the business.
The right to erasure gives consumers the right to request deletion of all their data stored by the organization. Not only are organizations supposed to comply within 45 days but are also required to deliver a report on the deleted information to the consumer.
Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information they should at all times be able to revoke this permission and request deletion of all previously collected or sold personal information though.
The right to opt out mandates businesses to set up a “Do Not Sell My Information” button on the company’s website and implement procedures to comply with its corresponding requirements. Consumers retain the right to opt out of the sale of their personal information again, even after giving permission for its sale to a business, if a third party which bought the personal information wishes to sell it to another party.
Businesses must provide consumers the minimum of two designated methods/channels for submission of requests for disclosure of personal information including a toll free number. Businesses that exclusively operate online and have a direct relationship with their consumers may provide an email.
The CCPA has given an expanded definition for the term ‘Personal Information’ which is provided protections under the statute. Any information that identifies a particular consumer or household is considered ‘Personal Information’.
(Real names, alias, residential address, IP, email address, account name, social security number, driver’s license number, passport number etc.);
Information about employees from personal information, job title, contracts (if any), benefits and any professional related data
(Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies etc.);
Information that is presented by the person that can not be found publicly. This does not apply to publicly accessible educational information on the individual.
Biometrics is the technical term for body measurements and calculations. It refers to the metrics related to human characteristics in order to verify identity or gain access.
Reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement etc.);
This includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in the possession of the organization.
The only exceptions are publicly available information (made public by federal or state authorities) or consumer information that is deidentified.
If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.
Has $25 million
in gross annual revenue;
Obtains or shares personal information of at
least 50,000 California residents,
households, and/or devices per year;
At least 50% of their annual revenue is
generated from selling California
residents’ personal information.
Businesses on which the CCPA applies also include any entity run or controlled by a business or which shares common branding with a business. No distinction has been made between domestic and foreign entities as well as a foreign parent company, with a controlling interest in an U.S-based subsidiary would itself also be subject to the CCPA.
There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:
Health providers and insurers that are already covered under HIPAA
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
Given the rising frequency and severity of data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:
Maximum civil penalties of $7,500 for intentional violations brought by the State of California through the Office of the Attorney General. Businesses will have only a 30 day time period to cure the violation upon being informed of the violation or will face financial penalties.
Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Office of the Attorney General. Businesses will have only a 30 day time period to cure the violation upon being informed of the violation or will face financial penalties.
Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses’ server. Businesses will have only a 30 day time period to cure the violation upon being served a notice by the consumer or will face civil penalties.
The law has come into force from July 1st 2020 and it is expected that CCPA and other data privacy litigations will only increase in the coming years.
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.
Get the Book“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
Given the expanded definition of the term ‘personal information’ and the tight time frame provided to businesses to respond to privacy disclosure, access and deletion requests along with other requirements, complying with the CCPA can be very labor intensive and costly.
SECURITI.ai’s award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.
SECURITI.ai helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data subject requests, assessments, consent management and more.
1
The CCPA stands for California Consumer Privacy Act
2
Nearly 500,000 organizations worldwide have been affected by the CCPA
3
According to an IAPP research, 95% of businesses are not prepared for the CCPA
4
The CCPA fines are a maximum of $7,500 per violation with no upper cap
5
CCPA exempts organization complying with the following:
6
SECURITI.ai uses award winning automation, machine learning and AI to help reduce cost, liabilities and human effort while helping your business comply effortlessly.
See how easy it is to manage privacy compliance with robotic automation.
[email protected]
PO Box 13039,
Coyote CA 95013
Find data assets, and discover personal and sensitive data in structured and unstructured data systems, across on-premises and multi-cloud.
Classify & label data to ensure appropriate security controls are enabled on most sensitive data in your organization
Collect, organize, enrich and build a data catalog to address privacy, security and governance solutions
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Assess risk scores for every data asset, asset location, or personal data category
Auto discover personal data in Snowflake and enforce access governance
Auto discover personal data in Snowflake and enforce access governance
Discover, classify, manage and protect sensitive data in Box. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Slack. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more
Discover, classify, manage and protect sensitive data in Workday. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Github. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.