The California Consumer Privacy Act (CCPA) is a data protection law that came into effect on January 1, 2020. The CCPA is designed to give California consumers greater control over their personal information that is collected, received, used, shared, and/or sold (i.e. ‘processed’) by businesses. The CCPA is often compared to the European Union's General Data Protection Regulation (GDPR) as it provides similar rights and protections to consumers.
The CCPA requires businesses to be transparent about their data collection and sharing practices, as well as to provide individuals with certain rights over their personal information, and to implement reasonable security measures to protect that information.
Today, we’re exploring CCPA. Let’s jump in right away.
Who must comply with the California Consumer Privacy Act?
The CCPA applies to businesses that operate in California and collect, and store with personal consumer data of California’s residents, and meet one or more of the following criteria:
Have an annual gross revenue of over $25 million.
Buy, receive, share or sell the personal information of 50,000 or more California consumers, households, or devices.
Derive 50% or more of their annual revenue from selling California consumers' personal data.
The CCPA also applies to businesses that control or are controlled by a business that meets the above criteria and share common branding.
What is the definition of personal information?
The CCPA defines personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The definition of personal information by the CCPA may also include but is not limited to names, aliases, postal addresses, email addresses, social security numbers, IP addresses, biometric information and other information that helps to directly or indirectly identify a person.
Data Covered by the CCPA
CCPA is designed to ensure that individuals are the ones in control of their data, and because of that the act defines the way businesses should process individuals’ personal information.
This includes information obtained from the consumer directly or indirectly, such as through a third party. The CCPA also covers information about a consumer's household, such as their family members' names and ages.
However, the CCPA excludes certain data, such as publicly available information, deidentified or aggregated consumer information, and data covered by other laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
What are the CCPA Requirements?
Right to know what personal information is being collected, used, shared and sold
Right to request deletion of personal information
Right to opt-out of the sale or sharing of personal information
Right to access personal information in a portable and easily understandable format
Right to non-discrimination for exercising their CCPA rights
Right to correct Inaccurate Personal Information
Right to Limit Use and Disclosure of Sensitive Personal Information
Businesses must also provide notice to consumers at or before the time of collection of their personal information. The notice must inform consumers of the categories of personal information that will be collected, the purposes for which the personal information will be used, and the categories of third parties with whom the information may be shared.
Furthermore, businesses must implement robust security measures to protect consumers' personal information from unauthorized access, destruction, modification, or disclosure. On top of that companies are also expected to establish and maintain reasonable practices and procedures for responding and honoring to consumer requests.
CCPA Compliance Checklist
Organizations subject to the CCPA should take several steps to comply with the law.
Conduct a data inventory to identify personal information collected, used, and sold.
To meet CCPA requirements, organizations should conduct a thorough review of their data practices to identify the personal information collected, used, and sold. This inventory should include a comprehensive assessment of data sources, purposes for which the information is collected, categories of third parties with whom information is shared, and security measures implemented to protect information.
Update privacy policies to include CCPA-required notices.
Implement processes for receiving and responding to consumers’ requests.
To comply with the CCPA, organizations must have effective processes in place for receiving and responding to consumers’ requests. These requests may include access to personal information, deletion of personal information, or opting-out of the sale of personal information. Organizations should establish procedures to verify requesters' identities and respond to requests within the CCPA's required timeframe.
Provide an opt-out mechanism for the sale of personal information.
Organizations wishing to comply with the CCPA must provide a mechanism for consumers to opt-out of the sale of their personal information. This mechanism should be easy to use and prominently displayed on the organization's website.
Train employees on CCPA compliance.
To comply with the CCPA, organizations must train their employees on CCPA compliance, including a review of CCPA requirements and guidance on handling consumer requests. Employees who handle personal information must also receive training on security policies and procedures.
Implement reasonable security measures to protect personal information.
Organizations must implement reasonable security measures to protect personal information. This includes physical, technical, and administrative safeguards to prevent unauthorized access, use, and disclosure of personal information.
Monitor and update compliance measures as necessary.
To maintain CCPA compliance, organizations must continuously monitor and update their compliance measures as necessary. Among other things, this includes regular review and updating of privacy policies, employee training on new requirements, and ensuring that their processes for receiving and responding to consumer requests are effective.
What new law goes into effect beginning January 1, 2023?
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). The CPRA is designed to amend and extend the original CCPA.
Not only does the CPRA expand consumer rights, but it also brings fresh rules to the table. The right to correction allows consumers to have incorrect information rectified while the right to limit sensitive personal information will give them greater control over their data in general.
Consumers can also request information on automated decision-making and opt-out of the use of such technologies.
The CPRA went into effect on 1st of January, 2023 and is now state-wide law.
Are there any penalties for violating CCPA?
Penalties for violating CCPA are very real. Businesses that fail to comply with the CCPA may face fines of up to $7,500 per violation. Consumers also have the right to bring a private action against a business that violates their CCPA rights.
What is the difference between GDPR and CCPA?
While the CCPA and GDPR share similarities, there are some key differences between the two laws. The GDPR applies to businesses that collect and process the personal data of individuals in the European Union, while the CCPA applies to businesses that collect and process the personal data of California residents only.
The GDPR also gives individuals more rights, such as the right to object to the processing of their personal data and the right to restrict processing in certain circumstances. The CCPA, on the other hand, gives consumers the right to opt-out of the sale of their personal information.
Another difference between the two laws is that the GDPR applies to all businesses, regardless of their size or revenue, while the CCPA only applies to larger businesses that meet certain criteria.
What does CCPA mean for cybersecurity?
In terms of cybersecurity, the CCPA has significant implications. Companies that collect and store personal information are required to implement reasonable security measures to protect that data from unauthorized access or theft.
Under the CCPA, companies can be held liable for breaches that occur due to their failure to implement reasonable security measures. This means that companies must ensure that they have robust cybersecurity policies, procedures and tools in place to protect consumer data. The CCPA also requires companies to conduct regular risk assessments and to update their security measures as needed.
Overall, the CCPA represents a significant shift in the way that companies collect, store, and use personal information and at the same time provides Californian consumers with greater control over their data. On top of that the CCPA holds companies accountable for protecting that data from unauthorized access or theft. As such, the CCPA is likely to have a positive impact on cybersecurity by encouraging companies to take their data privacy and security obligations seriously.
CCPA and NordPass Business
Organizations can ensure the security of personal information through the security measures that the legal act encourages to implement in order to comply with CCPA. One of effective security measures is a password manager such as NordPass Business. Password management is a crucial aspect of data security, and NordPass Business provides organizations with an easy-to-use, yet robust solution that can help them implement security measures needed to comply with the CCPA.
Firstly, NordPass Business can help you ensure that passwords across the organization are unique and complex. With the option to generate strong and unique passwords for each account, organizations can rest assured that their users' accounts are secure.
NordPass Business allows organizations to securely share passwords. Sharing passwords can be a security risk, but in some cases, it is necessary for business operations. NordPass Business provides a secure way for organizations to share passwords, ensuring that only authorized users can access personal information. This feature is especially important for organizations that have employees working remotely or have multiple team members who need access to certain accounts.
By using NordPass Business to store passwords, organizations can demonstrate that they are taking measures to protect their users' personal information.