Exterior photo of Sacramento city hall showing how the upcoming California Consumer Privacy Act (CCPA) will impact businesses and consumers
What is the California Consumer Privacy Act and Does it Apply to Me? by Ryan Tully, VP of Product Strategy at STEALTHbits

What is the California Consumer Privacy Act and Does it Apply to Me?

When the European Union General Data Protection Regulation (GDPR) was passed in April 2016 and went live in May of 2018, this was touted as a wake-up call to the rest of the world. While we know there are other regulations in place that applied to control of people’s personal and private information, the GDPR promised far stretching reaches and corrective action should someone’s (if located in the EU) personal data be breached.

The United States has not enacted anything quite like the scope of the GDPR with the EU-US Privacy Shield being the closest so far to a federal regulation. However, California has recently chosen to be the trailblazer amongst the states to roll out the first GDPR-like regulation in the US. The California Consumer Privacy Act (CCPA) is being released on January 1, 2020 (though some provisions become impactful earlier) and brings with it a range of impact that could very well reach globally, just as we’ve seen with the GDPR.

Does the CCPA apply to me?

The two major areas of applicability on the CCPA are the data subject (consumer) and the data controller (business). The applicability of a business varies a bit from other regulations with the following rules defined:

  • Must be a for profit business
  • Collects consumer’s personal information, or on the behalf of which such information is collected
  • Determines the purposes and means of the processing of information
  • Does business in California
  • Meets any of the following thresholds:
    • Annual gross revenue in excess of $25 million
    • Annually buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes, alone or in combinations
    • Derives 50% or more of it’s annual revenue from selling consumer personal information

To fully understand the scope of a Business, it’s important to understand the Consumer. A Consumer is a natural person who is also a resident, with resident defined as:

  • Every individual who is in the State for other than a temporary or transitory purpose
  • Every Individual who is domiciled in the State who is outside the State for a temporary or transitory purpose
  • All other individuals are nonresidents

While the explicit definition of a consumer is kept short, what constitutes their personal information is a bit broader than similar regulations.

Personally identifiable information under this act is defined as any information that identifies, relates to, descripts, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The key exceptions to this include medical information covered under the Health Insurance Portability and Accountability Act (HIPAA) and content that is made “publicly available”, though a few other acts such as the Driver’s Privacy Protection Act and the Gramm-Leach-Billey Act have exemptions from this coverage as well. Major categories of what constitutes personal information include (but are not limited to):

  • Identifiers such as name, alias, address, IP address, Social Security Number, Driver’s License Number, Passport number, or similar
  • Commercial information including record of property ownership and products and services having been purchased.
  • Biometric information
  • Internet or other electronic network activity information including browser and search history
  • Geolocation data
  • Audio, electronic, visual, thermal, or olfactory information
  • Professional or employment information
  • Educational information
  • Inferences that have been drawn about an individual based on any of the above

Of note on not being covered is “deidentified” information. Similar to the GDPR’s usage of anonymizing, deidentified becomes safe if the information cannot be directly linked to an individual or a household.

How do I become ready for the CCPA?

With definitions out of the way, we should now know whether or not the CCPA applies to you. The question becomes now “what changes might I have to make?” The CCPA affords new rights to consumers, and it’s worth visiting those specific rights to ensure that your organization can respond to them.

  • Right to Opt Out

California residents have the right to Opt-Out of their data being released to a third party. This means that there needs to be a publicly accessible method for consumers to state that they do NOT want their information collected and processed to a third party organization. This method needs to be publicly available, with the most commonly proposed options being a link on the organization’s website or a toll-free number to call.

  • Right of Access

Businesses will have to proactively identify the types of personal information they are collecting and for what purpose they are collecting that information. A third party who purchases or otherwise receives personal information from a business must disclose to the original consumer that they have received that data. A consumer also has the right to ask for a copy of all of their personal information that had been collected in the prior twelve month period.

  • Right to Delete

Upon request from the consumer, a business must delete the personal information it has regarding that consumer. Upon request the business has 45 days to respond and confirm whether the request will be approved. Reasons for not deleting data include such areas as data security, repair errors, and other regulatory compliance needs (such as HIPAA).

  • Right to Equal Service and Price

While it’s likely no additional provisions will be taken to support this, the message of this “right” is that no business can treat an individual differently because they chose to exercise their privacy rights under the CCPA.

  • Right of Action

Should consumers’ information that is nonencrypted and nonredacted be subject to “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices”, the consumer has the right to provide a thirty day written notice to the business, a thirty day opportunity to cure, and then pursue relief in the form od real or statutory damages.

How do I remain compliant?

As privacy and compliance regulations grow and evolve over time, despite the differences seen between these two regulations the similarities are much greater. With other regulations like Japan’s Act on Protection of Personal Information, South Korea’s Personal Information Protection Act, the Amendment to Australia’s Privacy Act, etc. being impacted globally, it is only a matter of time before most, if not all, organizations fall under the scope of some regulatory compliance act that restricts the usage, collection, and retention of personal information while granting the data subjects their own set of rights to that data.

The #CCPA makes California the first state in U.S. to roll out #GDPR-like regulation, how should the business prepare and how will it impact consumers?Click to Tweet

While many organizations may have to ask “Am I CCPA ready?” the root question should be “Am I ready to protect personal information?”. The nuances between different acts do afford review when launched and for applicability but following these same core principles will keep an organization ready for whatever compliance standards may be thrown at them:

  • Know where your information assets are

The first step to protecting the personal information within an environment is understanding where it is. Risks of breach, lack of security, failure to pseudonymize, etc. all can take place when content sprawl, governance, and control get out of hand within an environment.

  • Know what data is personally identifiable

Knowing where all data repositories are is important, but knowing and classifying the type of data can be more so. Understanding what contains identifiers and then classifying it in a way to further control it is paramount.

  • Optimize your data footprint

The hardest data to breach is the data that doesn’t exist. If personally identifiable data is in a business’s network and it isn’t adding value, purging the old content will create a safer situation.

  • Monitor for threats

Watching all personal data within an organization to determine where insider threats or other forms of data exfiltration will help get ahead of any potential data breach incidents.

  • Pseudonymization and encryption planning

Be prepared to find a way to keep content safe and useful to the business without it being useful to someone outside of it.

In Parting

All organizations are different and all have different needs, just like all compliance regulations share similar concepts but differ in other areas. Keeping your business on top of the new changes and requirements is important to ensuring that you keep your customers safe as well as keeping your business safe.