What is CCPA, and Why Does It Matter to You?

What is CCPA?

CCPA, also known as The California Consumer Privacy Act, is “a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information of California residents.” (CookieBot). So anyone who lives in California is able to, with the protection of CCPA, ask businesses what information they have on them and what the businesses do with it, ask the businesses to delete it, ask the businesses to not sell it, and the businesses are required to inform individuals before or at the time of collecting this information. Businesses are also not allowed to discriminate against individuals for enacting their CCPA rights.

The businesses must have at least two options for an individual to request their information or opt-out, for example an email address and a website form. Businesses also have 45 days to respond to an individual’s request, or 90 days if they let them know before the first 45 days are up.

 

What is defined as ‘personal information?’

According to the California Office of the Attorney General, personal information is defined as “information that identifies, relates to, or could reasonably be linked to you or your household.” That doesn’t include publicly available information, but it does go beyond just your name or social security number, to include anything that could be used to infer who a person is – such as records of past purchases or saved internet cookies.

 

When was CCPA enacted?

CCPA was enacted in 2018, but businesses had until 2020 to ensure that they were compliant with the new regulations.

 

Why was CCPA enacted?

CCPA was enacted as part of a movement to address data breaches from large tech companies due to poor regulations and privacy requirements. It was modeled after the EU’s GDPR, but does cover broader ground with the term ‘personal information.’ CCPA was one of the first steps to broadening the privacy rights of citizens in the U.S., and since then, others have followed (see iOS15).

 

Who does this apply to?

Any and all California residents have their privacy rights protected by CCPA.

Any businesses that are for-profit and do business with California residents are also affected if they meet one of these requirements:

• They participate in some form of passing or receiving the personal information of at least 50,000 California residents,
• Half of their yearly revenue comes from selling the personal information of California residents, or
• They have a gross yearly revenue over $25 million.

There is also a specific section of CCPA relating to Data Brokers and how they are affected. In short, ‘Data Brokers’ are defined as businesses that function by selling personal data to third parties, and under the CCPA, they have strict requirements for continuing their service. These new requirements include registering with the Attorney General and providing their contact information and multiple ways for citizens to opt-out, all recorded on the Data Broker registry. Read more here.

(Source: California Office of the Attorney General).

What exactly does each section of the CCPA mean?

1. “The Right to Know”

   1. As a California resident, you can require a business to provide you, for free, the personal information that they have collected on you in the last year and what they have used it for.
      1. Why could you be denied?
         1. The request can not be verified
         2. The business has already provided you your information twice in the last year
         3. It would interfere with the business’s legal abilities
         4. The business cannot disclose the very personal information (i.e. social security number) – but they can tell you they collected it.
         5. The information falls outside of how the CCPA defines ‘personal information’
         6. Read more at Civil Code section 1798.145.

2. “The Right to Delete”

   1. As a California resident, you can request for a business to delete the personal information they have on you, but there are a variety of exceptions to this.
   2. Why could you be denied?
      1. The request can not be verified
      2. It would stop the individual transaction or service requested from being completed
      3. For specific security reasons or internal business uses
      4. It would interfere with the business’s legal abilities
      5. The information falls outside of how the CCPA defines ‘personal information’
      6. Read more at Civil Code sections 1798.105(d) and 1798.145.

3. “The Right to Opt-Out”

   1. As a California resident, you can request for a business to stop selling your personal information. There must be a clear Call-To-Action on the businesses website for an individual to request this, and the business must not require the individual to have an account with them to do so.
   2. If an individual requests this, businesses must wait at least a full year before asking for the individual’s consent to sell their information again. If businesses sell to children under 13, they have to have consent from a parent or guardian to sell the child’s information.
      1. Why could you be denied?
         1. It would interfere with the business’s legal abilities
         2. The information falls outside of how the CCPA defines ‘personal information’
         3. Read more at Civil Code section 1798.145.
   3. GPC, as known as Global Privacy Control, is a comprehensive option available on some internet browsers to notify websites not to collect or sell an individual’s data. It was created in response to the CCPA. Read more here.

4. “The Right to Non-Discrimination”

   1. If you enact your CCPA rights, businesses are not allowed to treat you any differently than another consumer.
   2. Are there any exceptions to this?
      1. If you refuse to provide the personal information that would stop the individual transaction or service requested from being completed, then the business cannot honor that transaction or service request.
      2. Businesses are allowed to offer promotions and other discounts for the exchange of personal information. If you refuse to provide it, you may not be eligible for those promotions and deals.

5. “Notice of Collection”

   1. Businesses must, before or during the point of collection, notify the individual of what personal information they are collecting. It must list the categories and what the information will be used for, as well as a link to the business’s privacy policy.

(Source: California Office of the Attorney General).

 

What should ALL businesses care?

If a business is applicable to the CCPA under the terms, then it is liable for all of these conditions. Even if a business isn’t applicable, it should still be concerned as this regulation is likely to be the standard of all states in the future.

Businesses should take a closer look at their cybersecurity, as this is the main point of the CCPA and that which the data regulation and privacy concerns stand on. (Proofpoint).

Cookies are also included in the definition of ‘personal information’ as provided by the CCPA, so if you are one of the businesses affected by the CCPA, you need to know what data you collect, why and for what purpose, who you share this data with, and you need to have notice of these cookies being collected somewhere on your site before or during the time of collection. (CookieBot).

 

What penalties could a business face?

Businesses could be audited against the CCPA, and if they are found to not meet the requirements of the CCPA, they will have 30 days to fix these issues. If not fixed in 30 days, businesses could receive up to $7500 in fines per issue, and individuals affected could ask for $750 in damages for each time their data privacy was affected. (Proofpoint).

 

Can an individual sue a business under the CCPA?

Yes, but only under very specific circumstances. An individual could only sue if there is a data breach, and only if their data was unencrypted and unredacted, and only if this breach was due to the business’s inability to impose reasonable security standards. If all of this happens, the individual must give the business a write-up of the specific parts of the CCPA that were violated, and then the business has 30 days to respond confirming that they have fixed those issues.

It is only if all of these conditions are met, and if the business continues to have unresolved issues pertaining to the individual’s data due to inept cybersecurity, that the individual’s lawsuit would be applicable. In this very specific case, an individual can sue up to $750 per data breach.

For anything else, an individual would have to file a complaint with the Attorney General. If there is a reasonable pattern of data breaches seen from a particular company, then the Attorney General could lead an investigation for the collective interests of California citizens. Each complaint must have enough information regarding how the CCPA was violated, and when and how this happened. If the Attorney General proceeds with an investigation, they would operate out of collective interest, not individual interest.

(Source: California Office of the Attorney General).

 

So what does this mean for you? How can a business become complaint?

A few steps are recommended to ensure your cybersecurity is in order:

1. Designate a role at your business to be responsible for data privacy and protection.
2. Understand what data is collected by your business, what it is used for and who it is shared with.
3. Audit your business for risks. Generally, this involves hiring a professional.
4. Utilize tools to help you protect your data.
5. Set up protocols and use-cases for data protection.
6. Keep records of data usage and privacy protection, and continue to grow these security measures year after year.

(Source: Proofpoint).

 

Interested in learning more or getting started protecting your business’s data?

Talk to BLKDG.

 

---

 

(Sources: California Office of the Attorney General, Proofpoint, CookieBot).