Dr. Maxine Henry, one of Reciprocity’s renowned GRC experts, led a webinar on the California Consumer Protection Act (CCPA). This sweeping legislation creates data privacy rights for covered consumers—which means it also imposes obligations on businesses to safeguard personal information. Before implementation on January 1, 2020, Dr. Henry discusses how to prepare.
Who Will CCPA Impact?
CCPA protects California residents, recognizing all natural persons in the state as consumers. Even companies not headquartered in California, perhaps without physical presence in California, will be subject to CCPA, because California residents are among their customers.
CCPA imposes obligations on for-profit enterprises meeting any of these criteria:
- Annual gross revenues over $25 million;
- Handles, buys, shares, or sells personal information belonging to 50,000 plus California residents, households, or devices;
- Earns 50% or more of annual revenue selling California residents’ personal information; or
- Controls, or is controlled by, a business or affiliate meeting any of these criteria, with whom it shares a brand.
Unless an exemption applies, CCPA will affect most large businesses. Really, who doesn’t do business in California? But small and medium enterprises must consider how much of their customer base is Californian—and whether they’re prepared to comply with CCPA obligations.
What Will CCPA Require?
CCPA protects California consumers’ “personal information.” Dr. Henry explains, “The law broadly defines what personal information is, and it relates to any information that can reasonably link a person, either directly or indirectly, to a form of data.” With this broad definition, the data types that can be personal information are extensive. Some, like name, address, social security, passport, or driver’s license numbers, are what may first spring to mind as personally-identifiable, but data points like internet protocol, online identifiers, purchase activity, or internet activity also count. The statute also treats inferences derived from consumer preferences, characteristics, psychological trends, predispositions, behavior, attitudes, and abilities as “personal information.”
If personal information is breachedCCPA creates the potential for significant monetary penalties. California’s Attorney General can seek civil penalties: $2,500 per violation or $7,500 per intentional violation. CCPA also has a private right of action. Consumers with directly-linked data breached can seek statutory damages from $100 to $750, per consumer, per incident. In the event of a data breach, security practices dictate fine severity—though data security may also prevent a data breach from ever occurring. “It really pays to be diligent in trying to comply with the law,” Dr. Henry observes. “Put together a detailed plan and checklist. I can’t stress that more, because that will help guide you through the work you will need to do to be compliant, and it helps to demonstrate your compliance if you are ever breached or audited by the Attorney General of the state of California.”
CCPA’s core right is disclosure. Consumers will have the right to know what personal information a business has, who it shares with, and why. The disclosure requirement empowers the other rights CCPA creates, like consumer requests for access to their information, data deletion, and the right to opt out of data sales.
To provide consumers these rights, CCPA mandates that businesses:
- Respond to disclosure requests;
- Provide information and purpose when selling or disclosing personal data;
- Respond to opt out requests for data sales;
- Gather opt-in consent for children’s data;
- Provide data deletion requested;
- Provide data access and portability;
- Not discriminate against consumers who exercise CCPA rights.
Beginning January 1, businesses should expect to receive these requests. Californians have the right to know how their information is being used and can deny businesses the ability to sell their data. If there is a problem, the statute provides only 30 days to cure it. Yet, when consumers make requests under CCPA, businesses must provide records for the past year—before CCPA’s effective date. To be compliant, businesses must take action now.
Working Towards CCPA Compliance
To achieve and maintain compliance:
- Assess exposure – How much Californian data does the company have? CCPA, like GDPR, is risk-based. Understand your universe and analyze gaps.
- Evaluate data security controls – Leverage existing frameworks, like ISO 27001 and 27701, to guide efforts.
- Data documentation – Classify and tag data so it can be provided to consumers.
- Review data retention policies – Consider disposition/retention schedules
- Conduct privacy training for public-facing employees – Emphasize data and privacy, not just generalized security.
- Privacy notifications – Include it on the website, and update product literature and employee guidance. If reselling data, notify customers.
- Review vendor contracts – Partners can be a source of liability, if they mishandle consumer data. Consider an annual review of provider CCPA compliance.
- Periodically refresh policies – Inform with annual audits. Seek opportunities to improve.
- If a data broker, register.
For all of these steps, document, document, document!
In enforcement situations, companies need artifacts to demonstrate their efforts. Dr. Henry highly recommends using a tool to monitor and evaluate your governance, risk, and compliance program. Leveraging GRC software empowers companies to tailor their audit and monitoring efforts to their specific needs, to map objectives and controls together, and to flag still-outstanding risks. ZenGRC unites these functions in one tool, easing the task of gathering evidence when needed and identifying potential gaps as they develop. By automating and tracking vendor assessments, management, and auditing, ZenGRC streamlines the process of developing documentation across a business’s landscape— applying precisely the type of risk-based approach CCPA adopts.