The California Consumer Privacy Act of 2018 (CCPA) is a privacy law that gives consumers and employees based in California legal rights over how their data is collected, stored, sold, and shared. Unless you actively block California residents from visiting your website or doing business with you, you need to be able to respect these rights to stay compliant.
The CCPA came into effect on January 1, 2020, and has since been amended by the California Privacy Rights Act (CPRA). The CPRA amendment, enacted in January 2023, added new provisions, a dedicated enforcement agency, and a new data category of "sensitive personal information."
Any for-profit organization in the US or globally can be covered (required to comply with) by the CCPA if they:
- Have workers located in California
- Provide goods or services to people located in California or residents in California
- Interact with third parties that provide data about California residents
The CCPA is not just for California businesses. Complying with the CCPA is a global challenge. If you do business with California residents (of which there are at least 39 million), you must comply with the CCPA, regardless of where your operations are based.
To be covered by the CCPA, a business will need to either:
(a) Have made more than $25 million in gross revenue in the last calendar year or
(b) Get 50% or more of annual revenue from the sale of consumers' personal information or
(c) Share, sell, or buy the personal information of 100,000 households, consumers, or devices for commercial purposes.
Like with the European General Data Protection Regulation (GDPR), violating the CCPA exposes your business to financial penalties. Under the CPRA, the California Privacy Protection Agency (previously the California attorney general under the CCPA) can fine any company that violates the CCPA $2500 for each incident, i.e., for every person's data impacted. This increases to $7,500 for each data security incident involving data belonging to minors or intentional violations.
CCPA non-compliance also creates legal risks. Under the CCPA, consumers have a private right of action when there’s disclosure or theft of nonencrypted or non redacted personal information. Although relatively limited, this still means that individuals can sue a business that allows their data to be exposed during a data breach.
What Businesses Need to Do to Be Compliant with the CCPA
Being covered by the CCPA means that to stay compliant, businesses must be able to:
Comply with consumer data requests
The CCPA gives consumers and employees the right to control what happens to their data and expect it to be protected.
Consumers have the rights to:
- Know when their personal information (PI) is being collected and why
- Delete their PI after making a request
- Correct inaccurate PI
- Opt out of their data being sold or shared
- Limit what happens to their PI
- Receive a copy of all the PI collected about them in a format that can be sent elsewhere
- Specifically, limit the use of sensitive personal information (SPI)
- Avoid data collection unless it is for a specified purpose, i.e., data that is not "reasonably necessary and proportionate."
Businesses also need to put in place safeguards to secure data and protect it from data breaches. The CCPA defines this obligation as implementing "reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure."
For businesses that are not sure where to start, the Center for Internet Security (CIS), which lists 18 important security controls for better cybersecurity posture, can offer some guidance. The CIS describes “data protection” as "processes and technical controls to identify, classify, securely handle, retain, and dispose of data.”
Conduct regular privacy risk assessments
Businesses need to regularly look at whether the way they process customer data puts customer privacy at risk and submit the results to the regulator. Any risky data processing activities will need to be highlighted. This concept is similar to the GDPR's Data Protection Impact Assessment (DPIA) process.
CCPA Data Definitions You Need to Know
To be CCPA compliant, you need to know what data is covered. The CCPA contains over 30 definitions; you can read the full list here. Some core covered data definitions data security leaders need to be aware of include the following:
- Personal Information (PI). The CCPA defines this as a wide range of data, including someone's full name and address, purchasing history, browsing history, educational and employment histories, voice or visual records, email addresses and other contact information, Social Security number, driver’s license number, biometric data, internet browsing history, geolocation data, and more.
- Sensitive Personal Information (SPI). A particular category of personal information created by the CPRA, sensitive personal data refers to someone's Social Security number, driver's license, state ID or passport numbers, as well as data that expose someone's account credentials like log-ins, financial account details, and debit or credit card numbers along with their associated security or access codes, and exact geolocation.
- Aggregate Consumer Information. Information relating to a group or category of consumers that cannot be easily traced back to an individual.
- De-identified Information. Data that can't be easily linked or used to gather information about a specific consumer. To qualify data as de-identified, a business must take steps, including contractually obligating anyone the data is shared with to ensure the data can't be connected to any individual or household.
- Processing. This refers to any action, such as using data for targeting advertisements or a series of actions done to personal information. Processing could be automated or totally manual.
- Third Party. Any business or person that is different from the business with which a consumer has chosen to interact with. This does not include contractors who are affiliated with the original business.
- Unique Identifier or Unique Personal Identifier. Any tag or marker that can be used to recognize a person, their family, or a device over time across different services. It can include cookies, IP addresses, phone numbers, or customer numbers. In simple terms, it's a way to identify someone or their device consistently.
Data Not Covered By the CCPA
Although the CCPA applies to a lot of different kinds of personal information, it does not cover personal health information (PHI) collected or processed by any business already covered under the Health Insurance Portability and Accountability Act (HIPAA). Clinical trial data is also not covered.
The CCPA does not cover publicly available information, i.e., data that can be found on federal, state, or local government records. It also does not include de-identified or aggregate consumer information.
How Cyera Helps Businesses Comply with CCPA
If you’re a business covered by the CCPA, consumers have the right to expect that you:
- Know where their data is.
- Are treating it securely based on what it is.
- Are not going to let it end up for sale on the dark web via a data breach.
Cyera allows you to answer these questions for all your data automatically and at scale. Cyera helps businesses meet CCPA requirements by:
- Inventorying all their personal information in line with CCPA definitions.
- Efficiently discovering and classifying sensitive personal information.
- Instantly flagging and addressing potential CCPA compliance risks.
- Conducting regular data privacy risk assessments.
See how Cyera can help address CCPA compliance by scheduling a demo today.