IDC Names Securiti a Worldwide Leader in Data Privacy
ViewAfter the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next data privacy regulation that had a significant impact for organizations all across the world.
The CCPA is a data privacy law that mandates companies to become better custodians of their consumers' personal information and is often seen as the U.S. counterpart of the GDPR. The law came into effect on January 1, 2020, and has been enforced from the 1st of July 2020.
Here is an overview of this critical privacy regulation.
Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:
The right to notice requires an organization to provide consumers with notice of the company's practices regarding collecting, using, selling, and sharing personal information at or before the point of collection of their personal information.
The right to erasure gives consumers the right to request deleting all their data stored by the organization. Organizations are supposed to comply within 45 days and must deliver a report to the consumer confirming the deletion of their information.
Personal information containing minors' personal information cannot be sold by a business unless the minor (age of 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-ins to allow this sale. Businesses can be held liable for the sale of minors' personal information if they either knew or wilfully disregarded the consumer's status as a minor and the minor or Parent/Guardian had not willingly opted in.
Even when consumers choose to allow a business to collect and sell their personal information, businesses' must sign written contracts with service providers and/or any other entities who process the data on behalf of the company or are sold the business's data for a specific business purpose. Businesses must also transmit consumer’s opt-out requests to their service providers and associated third parties.
The privacy policies of businesses must necessarily specify consumers' erasure rights, collections and sales/disclosure of personal information, opt-in/opt-out rights for data sales, and privacy-based discrimination restrictions, consumer request metrics.
Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information as long as the consumers at all times are able to revoke this permission and request deletion of all previously collected or sold confidential information.
Businesses must provide consumers with a minimum of two designated methods/channels for submission of consumer requests for personal information disclosure, including a toll-free number. Companies that exclusively operate online and have a direct relationship with their consumers may provide only an email.
The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Companies are allowed to vary their services or change the price of goods and services if the difference in service or price is reasonably related to the value of the consumers' personal information to the business.
The right to access allows consumers to request organizations to disclose the following personal information:
This all needs to be provided within 45 days of the request.
The right to opt-out mandates businesses to set up a "Do Not Sell My Information" button on the company's website and implement procedures to comply with its corresponding requirements. A business cannot re-ask a consumer for consent if they have chosen to opt-out for a period of 12 months. Consumers also retain the right to opt-out of the sale of their personal information, even after permitting its sale to a business, if a third party that bought the personal information wishes to sell it to another party.
The CCPA has given an expanded definition for the term 'Personal Information, which protects under the statute. Any information that identifies a particular consumer or household is considered 'Personal Information’.
THIS INCLUDES A HUGE VARIETY OF DATA SUCH AS:
(real names, alias, residential address, IP, email address, account name, social security number, driver's license number, passport number, etc.);
(records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, etc.);
Information that the person presents can not be found publicly. This does not apply to publicly accessible educational information on the individual.
reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in possession of the organization.
The only exceptions are publicly available information (made public by federal or state authorities) or de-identified consumer information.
If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.
Has $25 million
in gross annual revenue;
Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year;
At least 50% of their annual revenue is generated from selling California residents’ personal information.
Businesses on which the CCPA applies also include any entity run or controlled by a business or shares common branding with a business. No distinction has been made between domestic and foreign entities, and a foreign parent company with a controlling interest in a U.S.-based subsidiary would itself also be subject to the CCPA.
There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:
Health providers and insurers that are already covered under HIPAA
Financial companies covered by Gramm-Leach-Bliley
Credit reporting agencies under the Fair Credit Reporting Act
The CCPA is based on an opt-out cookie consent regime. Under the CCPA, the following are the requirements for a cookie banner:
Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:
Maximum civil penalties of $7,500 for intentional violations of the CCPA brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.
Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.
Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses' server. Companies will have only 30 days to cure the violation upon being served a notice by the consumer or will face civil penalties.
The law has come into force from July 1st, 2020, and it is expected that CCPA and other data privacy litigations will only increase in the coming years. The CPRA has already amended the CCPA and increased obligations on businesses and protections to consumers starting from 2023.
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.
Get the Book“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.
Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.
Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.
The CCPA stands for California Consumer Privacy Act.
Nearly 500,00 organizations worldwide have been affected by the CCPA.
According to IAPP research, 95% of businesses are not prepared for the CCPA.
Securiti uses award-winning automation, machine learning, and AI to help reduce costs, liabilities, and human effort while helping your business comply effortlessly.
CCPA stands for the "California Consumer Privacy Act." It's a comprehensive data privacy law enacted in California, USA, designed to give California residents greater control over their personal information held by businesses.
GDPR and CCPA are two distinct privacy regulations. GDPR is the General Data Protection Regulation, a European Union regulation governing data protection and privacy for individuals within the EU. CCPA, on the other hand, is the California Consumer Privacy Act, a Californian law that provides privacy rights to residents of California, USA.
There isn't a specific "CCPA Protection Act." The privacy rights of Californians are governed by CCPA’s amendment - the California Privacy Rights Act (CPRA). The CPRA introduces the California Privacy Protection Agency (CPPA) as the primary regulator agency that implements and enforces the CPRA and the CCPA.
Get all the latest information, law updates and more delivered to your inbox
September 13, 2023
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
September 11, 2023
In January 2020, Indonesia joined the burgeoning list of countries with their own data protection regulations. Provisions for data protection had existed within various...
August 31, 2023
Countries across the world have drafted or are in the process of drafting their own versions of data protection legislation. This reflects just how...
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128