- July 26, 2021
The California Consumer Protection Act 2018 (CCPA) is a law that protects personal data and strengthens consumer privacy laws. Similar to the European Union General Data Protection Regulation (EU-GDPR), the CCPA was implemented to safeguard the privacy rights of the residents of California, United States.
The CCPA data protection Act empowers California residents with the right to know everything about collecting their personal where the data is used. This act helps them to be able to access all the data that an organization has collected from them, decline the sales or sharing of their personal information with any third party, and also request the organization to delete it.
In 2005, California suffered the highest number of data breaches than any state in the United States, with 1,777 breaches affecting over 5.6 billion records. According to a 2020 Statista report, 1001 data breach cases were reported in the United States, and these breaches affected 151.8 million individuals.
Who is Subject to the California Consumer Protection Act (CCPA)?
The CCPA applies to entities with physical structures in California or entities collecting, storing, and processing data belonging to California residents for business purposes. The CCPA data privacy law is also applicable to service providers that handle customers’ personally identifiable information (PII) on behalf of a business and any third party that interacts with the customers’ PII.
In addition, the CCPA data privacy law applies to:
- Companies with annual revenue of over $25 million.
- Companies that collect the PII of more than 50,000 California consumer households or devices.
- Companies that obtain more than 50% of their revenue from selling consumers’ personal information.
Particulars of the California Consumer Protection Act (CCPA)
Although the CCPA is an inclusive law, certain businesses are exempted from compliance. For example, all non-profit organizations are exempted. Still, it would apply to organizations controlled by or share brand names or enter into a joint venture with a for-profit company. In addition, non-profit exemptions are based on the type of information collected or the type of individual from whom the information was collected.
The exemptions also apply to the employee information collected wholly outside of California, B2B contracts, warranties or recalls, and data subject to other state or federal laws. For example, data collected, processed, and sold as per Gramm-Leach-Bliley Act (GLBA) and the California Financial Information Act are excluded.
In addition, companies covered by the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act are also exempted from the California Consumer protection act of 2020. The penalties for non-compliance are set at $2,500 for unintentional violations and $7,500 for intentional violations.
A Real-life Case Study
In January 2020, Hanna Andersson, LLC had notified its customers about a widespread data breach that took place within two months. The data breach impacted customer data, including payment card details, home addresses, full names, and other sensitive personally identifiable information. As expected, the attackers auctioned the stolen customer data on the dark web.
Following the data privacy incident disclosure, affected California residents filed a complaint against Hanna Andersson, LLC. In a legal battle that lasted for a year, the court decided that Hanna Andersson, LLC failed to facilitate the proper data privacy measures required by the CCPA. As such, the court awarded the plaintiffs $7,500 in total. This ordeal caused grave reputational damages for Hanna Andersson, LLC. and all of its associates.
How to Select a Partner in the CCPA Compliance Journey
Businesses that collect the personal information of California residents are not the only ones that come under the CCPA; third-party associates are also included in this law. Therefore, while selecting a cybersecurity partner, it is necessary to ensure and maintain CCPA compliance.
Companies must audit all third-party associates that collect customers’ personal information and implement security protocols that align with CCPA requirements. After review, the next step is to amend and renegotiate the contracts to achieve compliance.
Below are some key attributes to look out for when selecting an external cybersecurity partner to achieve and maintain CCPA compliance:
- The use of a standard security framework for CCPA compliance.
- Updated policies and procedures for handling consumer demands according to CCPA guidelines.
- Proper data inventory for providing sensitive records from the date of the request.
- An updated website publicly stating CCPA compliance.
- In a readable format, plain and simple English explains the suitable data options to consumers.
Becoming compliant with the CCPA is an essential requirement for all companies that want to do business in California or use the data of California residents. Below are some critical steps to achieve and maintain sustainable compliance with the CCPA:
- First, develop a compliance framework that works for your business and security goals.
- Identify all data types that are being collected and stored within your infrastructure.
- Perform regular security audits and risk assessments of your data processing systems.
- Consistent security awareness training for employees and management teams is critical.
- Prompt response to data subject access requests (DSARs) from consumers.
As cyber-attacks become a daily incident, data privacy regulations are also becoming stricter and more robust. Furthermore, with GDPR and CCPA already in action, more privacy protection laws will undoubtedly be introduced. Therefore, companies must take proactive steps by engaging with data privacy experts to align business processes with data privacy compliance requirements to maintain consumer trust and prevent hefty penalties.
Companies and third-party partnerships that interact with data belonging to California residents must always be aware of the changes often applied to the CCPA.