The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, grew out of a need to protect the privacy of consumer data at a time when data breaches involving the personal information of consumers are becoming commonplace. The state of California has the most data breaches and the most data records exposed (1700) in the U.S. That’s according to findings by Comparitech of data breaches between 2005 and 2020. During this time, California had a total of almost 5.6 billion records. It makes sense that the state would be the first in the U.S. to adopt strict regulations to protect the privacy of consumer’s personal information. Are you a California business wondering how the CCPA affects your operation? You should view the CCPA privacy rights as outlined in their entirety on the State of California Department of Justice website. The website provides all the information you need to determine if the CCPA applies to your business, what actions the business must take, and the penalties if the business does not obtain compliance.
The following are nine key takeaways from the CCPA for California businesses:
- The CCPA grants consumers specific rights regarding their personal information.
- The CCPA includes definitions of consumer and personal information.
- The CCPA impacts specific businesses.
- Businesses impacted by the CCPA have responsibilities regarding the personal information of consumers.
- Some personal information is excluded from the CCPA.
- The CCPA includes requirements for selling the personal information of children.
- Non-Compliance of the CCPA is enforced by the Attorney General.
- Consumers have legal recourse for business non-compliance of the CCPA.
- A security breach could become more costly.
1. The CCPA grants consumers specific rights regarding their personal information.
The CCPA grants consumers the following four rights regarding their personal information:
- The right to know what personal information about them is collected, the purpose of collecting the information, and the reason collecting the information is necessary.
- The right to request the deletion of their personal information collected by a business or service provider.
- The right to opt-out of the sale of their personal
- The right to not be discriminated against because they choose to opt-of sharing their personal information.
2. The CCPA includes definitions of consumer and personal information.
The two key concepts addressed in the CCPA are “consumer” and “personal information.” These terms are defined by the CCPA:
- The CCPA defines a consumer as a natural person who resides in California, even if the person is temporarily outside of the state.
- The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” The CCPA includes a long list of categories by which personal information can be identifiable.
3. The CCPA impacts specific businesses.
There are three questions that businesses can ask themselves to determine if the CCPA applies to their business:
- Is your business a for-profit business that conducts business in the state of California?
- Is your gross annual revenue more than $25 million?
- Does your business “buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices”?
- Does your business “derive 50% or more of their annual revenue from selling California residents’ personal information”?
If your business answers “yes” to any of the above questions, the CCPA applies to your business.
4. Businesses impacted by the CCPA have responsibilities regarding the personal information of consumers.
Businesses that are impacted by the CCPA must do the following:
- Advise consumers that they collect personal information.
- Inform consumers of the types of personal information they collect.
- Inform consumers of their purpose for collecting personal information.
- Reveal any third-party businesses to which personal information is distributed.
- Provide a method for consumers to submit a request to access their personal data.
- Provide consumers an opt-out option to selling their personal information. If a consumer later chooses to opt-in, the business must make the request and confirm their opt-in. The CCPA allows businesses to offer consumers who have not opted-out, a financial incentive.
- Include a privacy policy on their website that includes the information stated above.
5. Some personal information is excluded from the CCPA.
The CCPA references the following exclusions:
- Medical information that is governed by the Confidentiality of Medical Information Act (CMIA) or health information that is protected by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 are not covered by the CCPA.
- While employers are required to inform employees and potential employees about the personal information they collect and its purposes, the personal data collected and stored as part of being an employee, an employee’s emergency contact, or personal information used in processes for benefits is not protected by the CCPA.
- Any aspect of the CCPA that prevents an impacted business from complying with other federal, state, or local laws is excluded.
- Information that is available to the public is not covered by the CCPA.
6. The CCPA includes requirements for selling the personal information of children.
The U.S. federal government enacted the Children’s Online Privacy Protection Act (COPPA) in 1998 for the purpose of protecting the online privacy of children. The CCPA includes the following requirements of impacted businesses that extends that protection by giving parents and teenagers additional control over the personal data of minors:
- Impacted businesses are prohibited from selling the personal information of consumers that are younger than 16 years old without prior authorization from a parent, legal guardian, or the minor consumer (when the consumer is age 13 or over).
- The consent to sell personal information of minors must be verifiable using “reasonable methods” that are in line with the recommended methods stated in the CCPA. An impacted business must have knowledge that a consumer is under the age of 16.
7. Non-Compliance of the CCPA is enforced by the Attorney General.
The CCPA is enforced by the California attorney general. The attorney general has the right to bring a civil action against an organization that has been informed that they are not in compliance of the law and have not come into compliance within 30 days of being notified of the noncompliance. Violators of the CCPA may be hit with fines of up to $2500 for each violation and up to $7500 for each intentional violation.
An impacted business that chooses not to inquire about a consumer’s age is considered “willful disregard” of the CCPA and may result in a non-compliance violation.
8. Consumers have legal recourse for business non-compliance of the CCPA.
If a consumer’s personal information is involved in a data breach, the CCPA allows the consumer to bring suit against the organization.
There are three checks for this to apply:
- The personal information must be a combination of the consumer’s first and last name and one of the items outlined by the CCPA.
- The personal information must have been stolen, accessed without authorization, or disclosed.
- The personal information must have been in nonencrypted and nonredacted form.
9. A security breach could become more costly.
The average cost of a data breach will likely increase with the CCPA in force. According to a report by IBM, the average cost of a data breach is $3.86 million. Since 2003, California law has required organizations and state agencies to report data security breaches involving the unencrypted personal information of any California resident by an unauthorized person. Under the CCPA, an impacted business is required to pay a maximum of $750 for each data breach incident.
Next Steps
According to a report by the global computer security software company McAfee, only 31% of organizations in the U.S. have a plan to prevent IT security incidents. While the CCPA does not require that impacted businesses implement specific security methods, it’s a good plan for these businesses to take steps to obtain compliance.
The following are general steps that can help you obtain compliance with the CCPA:
- Review the CCPA in its entirety and stay informed of any updates.
- Understand the personal information of consumers that your business collects and stores.
- Create or update your privacy policy to include the information required by the CCPA.
If you’re not sure where your business stands regarding the CCPA or need assistance obtaining compliance, BACS can help. BACS is a firm that provides IT security solutions. Compliance is one of the core areas of expertise of the firm. The professional staff has expertise in analyzing the security needs of organizations and developing a comprehensive and strategic plan that includes adherence to applicable regulations.