In a previous article, we discussed GDPR compliance for business in the European Union. Simply put, GDPR changed the way that businesses can use consumer data for marketing and business purposes while giving more control to consumers in terms of how that data is stored, deleted or transmitted.
While GDPR is not a standard in the United States (and in many ways, GDPR contradicts U.S. laws), several states have introduced their own, more rigorous compliance standards to protect consumers. One of these is the California Consumer Privacy Act or CCPA. This law creates several standards that businesses must follow in the state of California to protect customer data.
What Are the Standards of the CCPA?
First, it’s important to note that the CCPA is, in many ways, very similar to the EU’s GDPR framework. This is because the CCPA places the burden of protecting consumer data onto businesses in a way that outside regulations do not. This might seem like a burden for businesses, but in reality, it forces organizations who are using data to take the right steps to ensure its safeguarding. At the same time, it allows consumers to have a say in how their information is used and how it exists in a business context.
At the core of CCPA is the concept of a consumer. A consumer, under CCPA law, is in the state of California for other than transitory purposes or who lives in the State but is currently outside of the State temporarily. This means, essentially, that the CCPA only applies to those living in California, unlike GDPR which protects all data subjects under jurisdiction.
CCPA protects the privacy of personal information, which, under the law, encompasses several categories, including:
- Identifiable data (name, address, etc.)
- Driver’s license or passport numbers
- Credit card or social security numbers
- Income information
- Political, religious or educational information
- Biometric data
- IP addresses
- Demographic information (age, race, gender)
- Geolocation data
Importantly, CCPA creates a set of consumer rights that include:
- The right to know what information is collected and how, and what that information is used for (how it is sold, shared or processed).
- The right to have their information deleted upon request.
- The right to opt-out of the sale of their personal information.
- The right of minors under the age of 16 to require opt-in consent for any data gathering, and the right of minors under the age of 13 to require the consent of a parent or guardian.
- The right to non-discrimination during the exercise of any of the above rights.
Furthermore, businesses must follow strict guidelines as they gather data from customers, including the following practices:
- Provide notice to any consumer from which the company collects data during every collection event.
- Provide clear instructions for how consumers can opt-out of data collection, read the data collected by the company and have that information deleted by the company.
- Provide a “Do Not Sell My Personal Information” link to denote permission for the resale of consumer information.
- Respond to consumer requests for information within 45 days.
- Provide disclosures on why they are collecting data, including financial incentives for any retention or sale of that data.
- Maintain a record of consumer requests for 24 months.
These requirements aren’t limited to large businesses. At a minimum, the business must meet the minimum criteria to fall under the jurisdiction. Under these criteria, the company must do one or more of the following:
- Buy or sell the personal information of 50,000 consumers or more.
- Derive 50% or more of its revenue from the sale of consumer information.
- Have a gross annual revenue of $25 million or higher.
Businesses trading in the personal information of more than 4 million consumers have additional requirements.
What Are the Penalties for CCPA Non-Compliance?
Like many frameworks, the severity of non-compliance penalties will depend on the context. Penalties are primarily civil, with unintentional lapses in compliance starting at $2,500 per incident and intentional non-compliance can reach $7,500 per incident. This might seem low until you consider that non-compliance issues will typically apply to a significant number of consumers, perhaps hundreds of thousands, each serving as an individual incident.
Additionally, businesses have up to 30 days to resolve violations upon notification of non-compliance. If they do not do so they could face even more penalties.
Finally, the law states that consumers may sue businesses for damages due to a data breach in which the businesses were not compliant with CCPA (notably, for un-redacted or unencrypted information where privacy was not upheld). Consumers can sue for anywhere between $100-$750 or for the actual cost of damages, whichever is greater. And, like with non-compliance issues, a company has 30 days upon notification from a consumer of a problem to fix that problem or face additional penalties.
Ways to Stay CCPA Compliant
There are some very straightforward ways to maintain compliance with CCPA, all involving basic improvements to how you approach consumer privacy:
- Implement technical measures to protect privacy and security, including server-side and in-transit encryption using AES-256 and TLS 1.2+ algorithms.
- Automate documentation and data recording to demonstrate compliance because CCPA requires that you show proof that you are complying not only with regulations but with customer requests.
- Automate audits and remediation to ensure that your technical systems, privacy policies and processing practices align with CCPA regulations. This can also help you best respond to consumer requests within the 45-day window and avoid penalties.
- Develop and maintain consumer notices that outline data-gathering practices that you must disclose per CCPA law.
Automate CCPA Compliance with Lazarus Alliance
Lazarus Alliance provides years of experience in CCPA compliance alongside decades of combined experience in cybersecurity and cloud automation to help enterprises and small businesses alike in their journey through California regulations. If you fall under the criteria for CCPA regulation, then consider us as your security partner to streamline complex compliance audits into simple, straightforward operations in your business and IT architecture.