Decoding CCPA: Here’s What You Need to Know
At Bridgepoint, we’ve been keeping a close eye on developments around data privacy, particularly since the EU’s General Data Protection Regulation (GDPR) went into effect in May of 2018. Here in the U.S., a lot of different data privacy laws are moving their way through state and federal governments. California was first out of the gate with a broad new law called the California Consumer Privacy Act (CCPA).
Since many of our clients are grappling with CCPA and how it might affect their business, we sat down with Senior IT Manager, Vicki Humphrey — Bridgepoint’s resident Compliance guru and expert on all things GDPR, cybersecurity, and data privacy.
We asked Vicki to help explain the basics of CCPA and what companies need to know (and do) to protect their organization. Read on to find out what Vicki had to say.
Q: Can you tell us a little something about the California Consumer Privacy Act (CCPA)?
A: Sure! CCPA is California’s new privacy law that governs how personal data is collected and how businesses can use it. This is really the start of data-privacy regulations in the U.S. — we haven’t seen anything like it before. What makes CCPA especially tricky for businesses is the fact that the California legislature is still tweaking the law. Seven new amendments are working their way through the state Senate right now, so businesses don’t exactly know which way to jump.
Q. CCPA just affects California businesses, right?
A: Actually, no. Any business that serves California residents may be affected by CCPA. And here’s what’s tripping many people up — if your company doesn’t conduct direct business in California but you do process California residents’ data for one of your clients, you could be affected by CCPA.
So, CCPA applies to for-profit companies that do indirect/direct business in California if they also:
- Have gross annual revenues of at least $25 million;
- Collect, buy or sell personal data on more than 50,000 people or devices; and/or
- Earn more than half of its revenue from the sale of personal data
Q: I hear that CCPA outlines some specific privacy rights for consumers. What does that look like?
A: Let’s say you’re a California resident. Under CCPA, you have the right to access any personal data collected on you over the last 12 months. If your personal data has been sold or shared with a third party, you have the right to know exactly who it was sold or shared to, how and why. You have the right to request that a company deletes all of the personal data that is collected on you. If you don’t want your personal data being sold, you have the right to opt-out — and still get the same products/services, at the same prices, as those who haven’t opted out.
Additionally, consumers whose personal information is subject to a data breach have the right to sue the business. This is a big deal.
Q. Before we go there, let’s talk about personal data collection for a minute. Are we just talking about name, address, email, etc.?
A: CCPA makes the definition of personal data much broader than previous privacy laws we’ve had here in the U.S. It includes any information that can be linked with a particular consumer or household, directly or indirectly. So, yes — names, addresses, social security numbers, and email addresses. But CCPA extends “personal data” to include location information gathered from your mobile device and IP addresses; your online shopping and browsing history; and all kinds of marketing profile information based on personal preferences, behaviors, attitudes, abilities and more.
This is really new and reflects an emerging view of privacy among many lawmakers. I think the U.S. is starting to take a long, hard look at what privacy means in our new highly digital, highly connected age.
Q: How does CCPA address the security of personal data?
A: Unlike GDPR, there’s not an aggressive requirement of 72-hour notice for breaches. However, CCPA assigns penalties for consumer data exposure due to a breach or lack of appropriate security safeguard — up to $750 per consumer per incident or actual damages, whichever is greater. This means companies should really focus on remediating any cybersecurity gaps and vulnerabilities and make sure they have strong governance and data security policies.
Q: What can happen to companies if they’re not fully CCPA-compliant after the January 1st, 2020 deadline?
A: If the regulators notify a company of a violation, that company has 30 days to comply with the law. If the issue isn’t resolved, there’s a fine of up to $7,500 per violation. Plus, as we talked about earlier, consumers have the right to sue companies for CCPA violations, even if there was no data breach.
The reason why this is a big deal is that there is no ceiling on CCPA penalties. Under GDPR, penalties are limited to $20M or 4% of global revenue, whichever is greater. We may end up seeing a host of class action lawsuits for damages under CCPA, with no limit on how high the penalties can go.
Q: Are most companies ready for CCPA compliance?
A: I think it’s a mixed bag. Many companies aren’t aware of how or even if CCPA will apply to them. Others know they need to take action, but don’t know where to start. And then there are organizations that are confused by the requirements and struggling to implement the proper policies, procedures, and workflows.
I’m telling all of my clients and contacts to get started now if they haven’t already. CCPA takes effect on January 1st, 2020 and the majority of U.S. companies should have a relevant compliance strategy implemented by then. Given our national conversation about data privacy and the fact that lawmakers are starting to address the issue seriously, it’s a good idea to build out robust, scalable and flexible governance and compliance systems NOW. Companies really can’t afford to sleep on this anymore.
Q: Any final words of advice for companies?
If you haven’t addressed CCPA compliance yet, now’s the time to get moving. For those who are running a little behind, here’s a basic framework that we have found helpful:
- Work with company leadership to determine if CCPA applies to your organization.
- Continue to monitor CCPA developments; some critical bills are still pending that could have a dramatic impact on the legislation.
- Prioritize the aspects of CCPA that will most affect your business.
- Carefully document what personal data you collect (keeping the CCPA definition in mind); where it resides; who has access; and how that data is used, sold and/or with third parties.
- Identify and remediate cybersecurity gaps and vulnerabilities.
- If not in place already, develop mechanisms and communications channels to process consumer requests specified by the CCPA.
- Establish data governance practices and/or update existing ones for CCPA compliance.
- Implement a detailed roadmap to meet all other CCPA mandates that specifically affect your business.
BRINGING IT ALL TOGETHER
CCPA is just the beginning of a coming wave of consumer data privacy regulations in various states and, possibly, at the federal level. It’s in your best interest to get organized and set systems in place, so you aren’t caught off guard in a rapidly evolving regulatory landscape. As with GDPR, complying with CCPA can be overwhelming for many organizations. Bridgepoint has a seasoned team of data privacy and security experts to help businesses navigate this new era of data privacy regulations. We’re here to guide you through each step of the process — including data discovery, regulatory gap analysis, security issue remediation, compliance policy development, and a Data Privacy Impact Assessment (DPIA). Learn more about our services here.
Vicki Humphrey is a Director in the Cloud Solutions practice at Bridgepoint Consulting. She has over 20 years of experience managing Cybersecurity and IT compliance projects as well as IT strategy and system development projects.