With concerns over data security mounting, the State of California enacted its California Consumer Privacy Act (CCPA) on January 1, 2020. This article will help businesses to understand the CCPA with information for anyone that collects, shares and sells the personal information of California residents. The privacy requirements share a lot in common with the rules set forth by the EU General Data Protection Regulation (GDPR).
Who Does the CCPA Protect?
Out of increasing concern, California voters required added personal freedom and security protections due to the widespread data collection that is characteristic of our ever-changing technology environment. Similar to the GDPR, the CCPA endows greater protections to individuals who should control over their personal data. Every Californian benefits from the privacy protections outlined in the CCPA. This includes a natural person who is a California resident as defined in Section 17014 of Title 18 of the California Code of Regulations.
What is Considered Personal Information?
The CPA explicitly states what is covered: “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” In addition to browser and search history, personal information examples include:
- Data collected through website interactions
- Names and aliases
- Postal and email addresses
- Account names
- Social Security, driver’s license and passport numbers
- Psychometric information
- Employment-related information
- Other unique personal identifiers
In plain language, the CCPA excludes information that is considered publicly available, i.e., “information that is lawfully made available from federal, state, or local government records.”
To Which Organizations Does the CCPA Apply?
Any legal entity that conducts business in the State of California (regardless of their location), that collects consumer personal information, must adhere to the CCPA. Under the CCPA, a business is defined as any: “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” The regulation differs from the GDPR in that it is intended to enforce compliance on medium and large organizations by revenue and impacted consumers. There are additional stipulations that make organizations applicable, such as when they:
- Have $25M or more in gross annual turnover.
- Purchase, receive, sell or share the PII of 50,000 or more customers, households or devices per year.
- Attain 50% or more of its annual revenue by selling its consumer data.
Some Questions to Ask to Determine if Your Organization is Subject to the CCPA
If you are a stakeholder and need to know if you need to comply with the CCPA, here are a few questions you can ask. Does your organization:
- Collect or process data that is personally identifiable?
- Determine what purpose(s) or outcome(s) data processing will yield?
- Decide what personal data to collect?
- Identify and decide upon the individuals from whom to collect the personal data?
- Benefit – commercially or by some other means – from data processing (excluding payment for services from another controller)?
- Process personal data due to contractual obligations with the data subject?
- Have a direct relationship with the data subjects?
What Rights Do California Residents Have Under CCPA?
There are four privacy rights that the CCPA endows California residents. Businesses must comply with these privacy rights.
Right to Notice
At or prior to collecting or sharing personal information, businesses partaking in such actions must notify consumers of the categories of personal information they are collecting, plus the intended purposes for which it will be used. The paper trail may complicate issues when data is obtained through a third party. Businesses must keep consumers informed of any other attempts to collect personal information, including the intent. Businesses must also clearly outline and articulate their privacy policies, including consumer rights and how consumers can exercise them.
Right to Access Data
Businesses are obligated to take swift steps to disclose and provide personal data in their possession once a consumer makes a verifiable request. The information must be provided free of charged, either by electronic or mail delivery. The requested information must be portable and transmittable to another recipient. It is not mandatory for businesses to deliver said information more than two times in a 12-month duration.
Right to Deletion
If a consumer provides a verifiable request, a business is required to delete the consumer’s personal information. There are certain exceptions, such as to fulfill a legal obligation, to complete a transaction, deliver on products or services, or otherwise fulfill a contract between business and consumer. Other exceptions, among others, include to:
- Detect security incidents or defend against malicious activity.
- Identify and make bug fixes.
- Exercise free speech or another right.
- Comply with the California Electronic Communications Privacy Act.
- Participate in scientific, historical, or statistical research (with consumer’s permission).
- Use data internally in a lawful manner.
Right to Opt Out
Businesses are required to tell consumers if they are involved in the selling of their personal information to third parties. Businesses must also give them the right to opt out of the sale by way of a highly visible, “conspicuous” link on the business homepage, titled “Do Not Sell My Personal Information.” Consumers are not to be discriminated against for harnessing these rights.
What Are the Consequences for Not Being Compliant With the CCPA?
Failure to comply with the CCPA can be costly depending on the business size and severity of the data breach. A business in violation of the CCPA faces enforcement by the California attorney general’s office, with penalties up to $2,500 per violation. Up to $7,500 in fines may also be imposed per intentional violation, following notice and a 30-day timeframe to “cure” the violation.
Consumers Have a Right to Private Action
The CCPA also provides individual consumers with a private right of action. Each consumer receives statutory damages in an amount no less than $100 and not greater than $750 – per incident or actual damages, whichever is greater. The court also stipulates “any other relief the court deems proper.”
ThreatModeler Empowers You to Protect Your Organization From Indemnifying Data Breaches
The CCPA holds organizations to greater levels of accountability for collecting, processing and sharing consumer data. Enterprises must be more transparent and ensure their data handling enforces strict cybersecurity controls. There are, however, benefits to improving your cybersecurity posture:
- Increased customer trust
- Enhanced brand image
- Improved reputation
- Strengthened information security posture
- Emerged competitive edge
Threat modeling is an activity that can help organizations to understand their attack surface – the sum of the different entry points, aka attack vectors – where a user can gain entry and compromise data within the environment. The attack vector is just one area of concern, as malicious or negligent actors can extract data from the environment to cause more damage. Organizations interested in improving their security posture will ensure that they have a clear picture of their attack surface, including potential threats. Threat modeling, with the use of process flow diagrams, will help CISOs, security architects, developers and other personnel across the organization understand the security threats and security controls that will mitigate them.
ThreatModeler is a leading threat modeling platform that introduces automation to design, build and deploy secure technology applications. With drag and drop ease, users can build their own threat models and save templates of completed diagrams to scale across their agile environment. With its bidirectional integration with Jira, users can build threat models (in under an hour), assign Issues to the correct mitigating party and remain updated on the status of each mitigation. CISOs and other stakeholders can rely on ThreatModeler’s accurate, reliable and repeatable output – which includes customizable Reports – to make informed decisions, and ensure security and compliance with regulating bodies such as the CCPA.