CCPA - California Consumer Privacy Act of 2018
Beginning January 1, 2020, certain organizations that conduct business with California residents will have to adhere to restrictions on data monetization practices. According to the California Consumer Privacy Act of 2018 (CCPA) businesses and their respective subsidiaries that collect, sell and process California residents' data will have to provide those residents a reasonable means to access, delete or change any and all personal information collected. Additionally, they must protect such personal data from breaches whether by gross negligence or intentional unscrupulous behavior.
Who does this regulation affect?
The CCPA requires a business, defined as "(1) a sole-proprietorship, partnership, limited-liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) has annual gross revenues in excess of $50,000,000, as adjusted pursuant to paragraph (5) of subdivision (a) of section 1798.115; or (B) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices; or (C) derives 50 percent or more of its annual revenues from selling consumers' personal information; and (2) any entity that controls or is controlled by a business, as defined in paragraph (1) of this subdivision, and that shares common branding with the business."
Such a business would include organizations that meet any of the following thresholds:
- Annual revenues of $25 million (USD)
- Collects personal data of 50,000 or more California residents
- Earns 50% or more from selling such personal information
Penalties and enforcement for non-compliance
The CCPA states in part: "Any consumer who suffers an injury in fact *** shall recover statutory damages in the amount of one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation from the business or person responsible for the violation, except that in the case of a knowing and willful violation by a business or person, an individual shall recover statutory damages of not less than one thousand dollars ($1,000) and not more than three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation from the business or person responsible for the violation."
Additionally, "Notwithstanding section 17206 of the Business and Professions Code, any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each violation."
Re-engineering Business Through People, Process & Technology
Whether you are a data controller or a data processor the enactment of the CCPA brings the need for organizations to examine the way data are protected and engage in business process re-engineering to accommodate new and stricter guidelines. This paradigm shift comprises people, processes and technology.
When it comes to data protection, your employees are your first line of defense. But they don't know what they don't know. They may require training to learn how to communicate safely in online venues such as email and the web to help avoid damaging social engineering attacks by malicious actors.
Implement adequate technical and organizational preventive measures, such as data pseudonymization , which is designed to ensure data-protection principles, as well as data minimization, in an effective manner and to integrate the necessary safeguards into the processing of in order to prevent the negative impact of data exfiltration that may result from a breach. Also implement clear and concise methods for submitting access requests by California residents.
Implement data mapping and inventory technology to prepare to comply with data access, deletion and portability requests by California residents. Enhance company websites with clear and concise directional links for such California resident requests. These can include web page links, dedicated company email address and 800 phone numbers.
Data loss prevention (DLP) technologies and encrypted data storage solutions can help secure data at rest.
1Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.
Among the various privacy laws and regulations throughout the world there are some distinct attributes that are common among most of them. This listing can help you to identify areas in your business processes that may need to be modified in order to successfully comply with specific regulations in regions where you do business.
From an operations perspective, it can mean business process re-engineering for data handling and storage. It can also mean assigning new roles and responsibilities to employees such as a dedicated data protection officer (DPO) or a data custodian.
No matter which of the many privacy regulations you might be bound to, organizations should examine the way data are protected and engage in business process re-engineering to accommodate new and stricter guidelines. This paradigm shift comprises people, processes and technology.
Don't Forget About Third Parties!
The CCPA states in part that: "A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer (1) the categories of personal information that the business sold about the consumer and the identity of the third parties to whom such personal information was sold, by category or categories of personal information for each third party to whom such personal information was sold."