CCPA – Introduction, Applicability and Recommendations
By Neeraj Nayak, Senior Manager at Cipher Cloud.
What is the CCPA and what is its applicability to businesses?
The California Consumer Privacy Act (CCPA) of 2018 is a broadly applicable and wide-ranging privacy law that will come into effect on January 1, 2020. The CCPA applies to any business that does any amount of business in the State of California, AND:
- has more than $25 million in revenue, OR
- buys or sells the personal information of 50,000 or more consumers, OR
- derives 50 percent or more of its annual revenue from selling consumers’ personal information
So, if your revenue is over $25 million, and you do business with even one (1) customer in California, you must be fully compliant with the CCPA by January 1, 2020.
What Data is Regulated Under the CCPA?
Much of the data kept in the clouds today likely includes personally identifiable information (PII) which is highly regulated under the CCPA. PII, defined under CCPA, very broadly includes real name, alias, postal address, account name, social security number, driver’s license number, passport number, and other similar identifiers. PII specifically includes many other categories of data such as biometrics (specifically including DNA data), internet search and browse data (anything used for digital marketing), geolocation data, employment information, and much more. The CCPA definition of PII even addresses “probabilistic identifier” which means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
What are the Rights of Californians Under the CCPA?
- Right to Disclosure: Know whether their personal information is sold or disclosed and to whom
- Right to Access: Access their personal information
- Right to Opt Out: Say NO to the sale of personal information
- Right to Equal Service: And they still must be provided with equal service and price by your business – even if they exercise their privacy rights
- Right to Deletion: Request deletion of their personal information
What are the penalties for Non-Compliance?
- Citizens have the right to file civil class action lawsuits against companies to pay damages ranging from $100 to $750 per incident per person. The cost can add up to tens of millions with only 100,000 records.
- State can levy a fine of $7500 for each intentional violation and $2,500 for each unintentional violation on the company
Recommendations for businesses to comply with CCPA
- Data Encryption: Encrypt sensitive personal data as soon as it’s collected, definitely before sending it to the cloud, and keep encryption keys in a separate environment so that at anytime, and at any stage in the lifecycle of the data, it remains completely protected. This includes data encrypted at rest (in the database), in use (application code, search, API), and in transit (network, etc).
- Data Loss Prevention: Establish a DLP program and strategy for enterprise and cloud applications to prevent sensitive personal data leaks by user errors and abuse, intentionally or unintentionally, structured data (Databases, CRM,ITSM, HRMS, etc.) as well as unstructured data (Office 365, Dropbox, etc.)
- Data Discovery and Data Request Management: Discover and classify sensitive personal data in enterprise and cloud applications with structured data and unstructured data. Establish processes by which consumer data requests can be submitted, responded to, and tracked to completion.
- Adaptive Access Control: Maintain access management program that enforces access policies including “step-up” 2FA authentication, not only at login time, but also continuously during the entire session while analyzing abnormal behavior of user, device, and location especially when accessing sensitive personal data.
- Training & Awareness: Create and conduct data privacy training and awareness campaigns to make employees aware of their responsibilities around personal data handling.
Download CipherCloud’s CCPA Definitive Guide to comply your business operations with CCPA.