The CCPA Explained
The California Consumer Privacy Act (CCPA) 2018 is a law that details how companies are required to look after the rights to data privacy of all consumers residing in California. If you operate a business that serves residents in California (regardless of whether your company is based in the state) it is important to be up to speed with this piece of legislation.[1]
While the CCPA currently only applies to California, this law is one more step in the ongoing international push for increasingly stringent data protection legislation, and systems of redress and oversight. For example, Virginia and Nevada have passed similar data protection laws, with other states set to follow the lead, signalling this current trajectory towards stronger legislative protection across the US.
This article provides a quick and easy guide to the key things you need to know about the CCPA.
What is the CCPA?
It was passed in June 2018 and is still considered by legal experts to be one of the most ground-breaking pieces of US data protection law, considering the wide-ranging rights it establishes.
The CCPA allows California residents to:
Request access to any personal information held by companies or their affiliated third parties.[2]
Know who has access to and use of their data (i.e. which third parties with whom their data is shared).
Know what kind of information companies have access to and the type of data being collected.
Opt out of having their data sold.
Request that any data collected on them is deleted.
Be treated equally in terms of services and prices (irrespective of whether they have requested any of the above).
As a result, companies must responsibly monetise, handle, and share consumers’ personal data - or face financial penalties, the potential of being sued, or reputational ruin.
This means they are required to:
Provide access and/or securely delete all data when any of these actions are requested, and within 45 days of receiving the request.
Ensure there is no reselling of personal data for those under 13 and ensure consumers between the ages of 13 and 16yrs have opted-in.
Make sure there are two or more methods for people to submit requests for information, correction or deletion.
Upon request, they must disclose all information collected in the 12 months before the request was made.[3]
For example, if a request is made on 22nd June 2021, a company must provide the information collected with effect from 22nd June 2020.
What does the CCPA consider as personal data?
Although the CCPA and the EU General Data Protection Regulation (GDPR) are often held in parallel, the CCPA arguably takes a far broader view of what is considered “personal” data as compared with the GDPR.
The CCPA defines personal information as data that identifies, relates to, or could reasonably be linked with consumers or their households.
This includes (but is not limited to):
Characteristics of protected classifications under state or federal law
Information relating to purchased products or services, considered purchases, or other information relating to consuming history and tendencies
Inferences from any of this personal information that could be used to create a profile about preferences, behaviours, attitudes, characteristics, etc.
All these types of data can also include images and videos
Names, aliases, etc.
Social security numbers, drivers’ license numbers, etc.
IP addresses, email addresses, internet history, search history, etc.
Passport numbers
Fingerprints and other biometric information
Information related to consumer professions or places of employment
Information relating to consumers’ education that is not publicly available
Surprisingly, unlike the GDPR, natural persons acting as job applicants, owners, directors, officers, medical staff or contractors, are not entitled to the above until 1st January 2023. In the meantime, businesses must still give notice of data collection or a privacy policy to the people mentioned above.
Dealing with video data?
CCPA compliance doesn’t only span across responsibly managing textual data, but visual data as well. Dealing with CCTV video at any scale can be incredibly daunting - especially given the increase in awareness of being filmed in public spaces, that many customers and employees are beginning to voice.
With video analytics becoming a growing requirement, companies need to make sure that they can fully demonstrate that they can be trusted to safely handle video data.
Automated redaction of personal data in video is a simple and easy solution - it still allows you to run video analytics but in a safe environment that customers and employees can be comfortable with. Through automated anonymisation, you can reduce manual efforts on video monitoring, easily comply with CCPA and protect yourself against any potential breaches.
Considerations and challenges for companies
The CCPA forces companies to rethink their approach to data infrastructure and management systems.
As consumers have the right to request access to such a wide range of collected information, companies need the right data infrastructure to securely store and locate relevant personal data upon request - planning ahead is key.
Encryption and cloud service solutions are particularly useful ways to help protect against security breaches and reduce liability in the event of any unauthorised access.
Many companies have begun to unify and consolidate data into centrally secured hubs - so it is easier to manage and provides overarching protection from unauthorised access. Others have also introduced identity and access management: taking steps such as multi-level authentication and encryption to secure data.
It is easier to put these safety measures in place when you know exactly which data you hold.
Visibility of the personal data you hold is critical, and companies can manage this by using methods such as data mapping to track what you have, how long you have held it, who can access it and where it is held.
Managing personal data raises issues that can understandably cause concern, not the least in terms of additional costs. Making an initial investment in infrastructure will be beneficial in the future, and adopting “privacy by design” principles will be more likely to ensure your business is CCPA compliant over the long-term.
In terms of managing video related data, tools like Secure Redact offer a useful way to redact any personal data that may be present in videos.
What happens if a company violates the CCPA?
If a company fails to implement sufficient security safeguards to protect any and all personal data, consumers are entitled to recover damages of up to $750 per incident, as well as other relief the courts may decide.
They can sue companies either as individuals or through class action lawsuits, although consumers are limited to two requests per year. The state of California can also directly file a lawsuit against a company which violates the law.
Businesses should note that they have a 30 day period after receipt of a consumer request to address any violations. If they haven’t addressed the alleged violation within this time, they could be subject to an injunction or even civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation.
While the California Office of the Attorney General cannot reveal the specific details of investigations, they have published examples of CCPA non-compliance since enforcement began in July 2020 - as well as the concurrent steps taken by organisations to rectify these issues.[6] There is a vast range of industries included in this list, with violators ranging from social media sites to retail stores, and to even education websites. All types of businesses need to ensure they are aware of their obligations under the CCPA, and when notified of a breach, make all reasonable efforts to rectify their mistakes as quickly as possible.
Here are some useful links for further clarification:
This article has explained the CCPA and demonstrated that compliance doesn’t have to be scary. By having a secure infrastructure and data management practices, you can simplify your internal workflows and make compliance much easier!
Other useful links
References
This requirement applies to companies with either $25 million in annual revenue, collect data from at least 50,000 people, or that collect 50% or more in revenue from selling personal data fall under this category
Section 1798.140 (7)(g)
Section 1798.130
‘CCPA vs. GDPR: the same, only different’, Available at: https://www.dlapiper.com/en/us/insights/publications/2019/04/ipt-news-q1-2019/ccpa-vs-gdpr/
Korolov, M., ‘California Consumer Privacy Act (CCPA): What you need to know to be compliant’, CSO, 7 July 2020. Available at: https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
‘CCPA Enforcement Case Examples’, Office of the Attorney General. Available at: https://oag.ca.gov/privacy/ccpa/enforcement