Many organizations are scrambling to understand the California Consumer Privacy Act of 2018, which the California legislature passed in June 2018. It will go into effect beginning Jan. 1, 2020. The California attorney general is responsible for enforcing the law.
The California Consumer Privacy Act (CCPA) gives California residents many new rights regarding how their personal information is collected and used.
Consequences for noncompliance with CCPA requirements could be painful. There can be a civil penalty of up to $7,500 for each violation, plus California residents can obtain up to $750 per incident or actual damages, whichever is greater.
Organizations need to understand this California privacy act and practical ways to comply with it.
It’s important to keep in mind that the law may change in 2019. The law was passed quickly in 2018 with only a week of legislative debate; over the next year, the California legislature is expected to receive significant lobbying and amendment requests from a variety of organizations that collect and use the personal information of California residents. Also, the law requires California’s attorney general to develop specific guidance about how organizations must comply with CCPA.
Understand how CCPA applies to your organization
The first step is to identify if and how the California privacy act applies to your organization. CCPA applies to all organizations that collect California residents’ personal information and that meet at least one of the following thresholds:
- has an annual gross revenue in excess of $25 million;
- annually buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices; and
- derives 50% or more of its annual revenue from selling California residents’ personal information.
The law gives California residents the following basic rights with organizations that are subject to CCPA — hereafter referred to as covered organizations:
- the right to request a covered organization disclose the categories and specific types of personal information that it collects about California residents, the types of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared;
- the right to request the deletion of collected personal information;
- the right to opt out of the sale of collected personal information; and
- the right to equal service and price if CCPA rights are exercised.
The law also prohibits covered organizations from selling the personal information of California residents under 16 years of age, unless such residents explicitly authorize the sale.
While the California privacy act applies only to the personal information of California residents, many covered organizations collect the personal information of residents from multiple states. Such organizations will need to decide whether to handle all personal information per CCPA requirements or create separate processes to handle just the personal information of California residents.
Because other states often emulate California’s data privacy laws — such as with data security breach reporting, for example — and non-California customers may dislike having fewer protections for their personal information, it is likely that many covered organizations will determine that it is best to have a common approach to handling their customers’ personal information.
Create a personal information inventory
CCPA broadly defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer [California resident] or household.” Examples of personal information include:
- personal identifiers, including your real name, postal address, email address, Social Security number, driver’s license number or passport number;
- biometric information;
- geolocation data;
- internet browsing history;
- professional or employment-related information; and
- inferences drawn from personal information to create a profile about a California resident.
In order to implement the appropriate controls and processes to protect personal information, covered organizations need to create an inventory that identifies and maps how and when such information is collected, used, stored and destroyed, as well as how it flows through and out of the organization. It will be difficult for a covered organization to comply with the California privacy act if it does not understand the personal information it has and the related data handling processes that it must protect.
A personal information inventory may also help identify opportunities to pseudonymize or de-identify collected personal information.
Smaller covered organizations may be able to manually inventory their collected personal information, but larger covered organizations will likely need to use a data mapping tool such as OneTrust or BigID.
Implement cybersecurity best practices
CCPA compliance will require covered organizations to implement the appropriate security controls and processes to protect personal information. The law enables California residents to receive compensation if their personal information is “subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Controls will vary between covered organizations depending on the type and amount of personal information they collect and the processes used to interact with the data. Covered organizations should use a risk-based approach that appropriately protects personal information while enabling the necessary business processing and storage.
There’s no need to reinvent the wheel; base your cybersecurity program on a widely used and accepted set of cybersecurity best practices, such as the NIST Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls. Companies can also follow an industry cybersecurity standard, such as PCI DSS. Doing so will enable your organization to show that it has implemented appropriate and reasonable controls to protect personal information, and that it follows security best practices.
Develop a personal information breach response and notification process
In order to comply with the California privacy act, covered organizations need to be prepared for a personal information breach. Having well-defined and documented procedures that are appropriate and realistic for your organization will make it much easier to launch a rapid and well-coordinated response.
At a high level, your personal information breach process should include:
- a detailed procedure for how you will notify the California attorney general and the appropriate business partners, the type of information the notification will provide and who at your organization will perform the notification if a personal information breach occurs; and
- a detailed procedure for how California residents impacted by a personal information breach will be notified and how quickly the notification will occur.
Covered organizations should, in advance, carefully define communication and containment processes; it can be stressful and time-consuming to figure this out in the middle of a breach.
Be sure to carefully test your organization’s personal information breach processes at least annually. You don’t want to be trying them out for the first time during a real breach.
Data privacy has become very important. GDPR went into effect in May 2018 and now CCPA is looming. Organizations that collect or process personal information need to be prepared for increased scrutiny and regulation of their personal information handling and protection practices. With careful analysis, planning and design, covered organizations can successfully comply with CCPA.