The California Consumer Privacy Act (CCPA) or AB 375 is a new law that became effective on January 1 2020, designed to enhance consumer privacy rights and protection for residents in the state of California by imposing rules on how businesses handle their personal information.
The CCPA is the most extensive consumer privacy legislation to pass in the United States and is akin to the European Union's General Data Protection Regulation (GDPR) and other data privacy laws and privacy regulations.
The bill was put together in seven days to avoid a ballot initiative to pass an even stricter law that was opposed by many tech companies.
Table of contents
- What are the intentions of CCPA?
- What is considered personal information under CCPA?
- Who must comply with CCPA?
- How can organizations comply with CCPA?
- What happens if companies are not compliant with CCPA?
- How is CCPA compliance enforced?
- How can Californians request access to their personal information?
- How is CCPA different to GDPR?
- How does CCPA impact cybersecurity?
- How UpGuard can prevent data breaches and data leaks
1. What are the intentions of CCPA?
California's new privacy law is designed to provide California residents with new rights to:
- Know what personal data is being collected about them, e.g. smartphone locations, voice recordings or browsing history
- Know whether their consumer data is sold or disclosed and to whom, e.g. app developers, service providers and advertising partners
- Say no to the sale of personal data
- Access their personal data, e.g. online activities, physical locations, ride-hailing routes, biometric data and ad-targeting data
- Request a business delete their personal data, e.g. your phone number, social security number or IP address
- Not discriminate against them for exercising their privacy rights
- Access to specific inferences that have been made about them, e.g. psychographics, predictions and categorizations
- Provide authorization to companies, activists, associations and others to exercise opt-out rights on behalf of them
A lot of this functionality is already provided by large tech companies such as Facebook, Google, Microsoft and Twitter, who offer automated systems where you can log in and download a copy of certain personal data. Other specific personal details can now be requested from the companies by Californians.
Once requested, companies must acknowledge a data access request within ten days and provide the information within 45 days.
2. What is considered personal information under CCPA?
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular consumer or household such as:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
3. Who must comply with CCPA?
The CCPA applies to any business, including any for-profit entity who collects personal data, who operates in California and meets at least one of the following criteria:
- Has annual gross revenues of at least $25 million
- Buys or sells the personal information of 50,000 or more consumers or households
- Earns more than half of its annual revenue from selling consumers' personal information
Non-compliant companies can be fined $7,500 per data record that violates the data privacy requirements of CCPA.
4. How can organizations comply with CCPA?
Organizations who must comply with CCPA must:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years old before selling or sharing their data for commercial benefit
- Provide a "Do Not Sell My Personal Information" link on the home page of their website that enables Californians to opt out of the sale of their personal information
- Designate methods for submitting data access requests, including, at a minimum, a toll-free phone number
- Update privacy notices with newly required information including a description of California residents' rights under CCPA
- Avoid requesting opt-in consent for 12 months after a Californian opts out
- Provide accessible privacy notices and have alternative format access clearly called out
The California law also requires employers to tell employees the categories of personal information they collect about them and the purpose of data collection.
5. What happens if companies are not compliant with CCPA?
Once regulators notify companies of a violation, they will have 30 days to comply with the law.
If the issue isn't resolved, the following sanctions and remedies can apply:
- Companies who suffer from a data breach or data leak can be ordered in civil class action lawsuits to pay statutory damages between $100 and $750 per California resident and incident or actual damages (whichever is higher) and any other relief a court deems adequate, subject to an option of the California Attorney General's Office to prosecute the company instead of allowing civil suits to be brought against it
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation
6. How is CCPA compliance enforced?
Final regulations that clarify and define the parameters of the law are yet to be released by the California Attorney General, Xavier Becerra, who is expected to release them in the next six months. The state won't enforce the law until July 1 2020.
That said, the law allows class action lawsuits against companies who fail to take reasonable precautions to prevent data breaches. Apart from that, it is up to the Attorney General's office to ensure CCPA compliance, who was indicated it only has the bandwidth to bring a handful of cases each year.
Even if cases are rare, the threat of large files–$7,500 per data record–should be enough to entice most organizations to comply.
7. How can Californians request access to their personal information?
If you would like to request access to the personal information an organization holds about you and/or say no to the sale of your personal information, you can use the template below:
To the Privacy Compliance Officer,
My name is [insert your name here]. I reside in California and am exercising my data access right under the California Consumer Privacy Act (CCPA) to see the categories and specific pieces of personal information that your organization has collected about me.
I request to see a copy of any and all records pertaining to me including:
- Any and all information or content provided or posted by me
- Any and all data collected about me or associated with me, my phone number or device including location data, login data, biometric data, usage data, demographic data, website visit and other online activity
- Any and all inferences, classifications or categorizations that your organization or its service providers have made about my interests, activites, behavior, attitudes, psychology, health, fitness, diet, intelligence, abilities and any other psychographics
- Any and all data your organization has obtained or acquired about me from third-party vendors, websites, apps, service providers or companies
- A list of all entities and third-parties who have my data has been disclosed or sold to
I also request that you do not sell my personal information.
My email address is [insert your email address here] and my phone number is [insert your phone number here].
It may be helpful for you to know that the CCPA requires you to acknowledge this request within ten days and to provide my personal information within 45 days.
If you need any further information, please let me know as soon as possible.
[insert your name here]
8. How is CCPA different to GDPR?
While many view CCPA as the U.S. equivalent to GDPR, there are key differences.
The most important different is that CCPA excludes data acquired through third-parties. GDPR also provides specific requirements on how organizations protect personally identifiable information (PII), monitor for security incidents and report data breaches or data leaks, CCPA does not.
9. How does CCPA impact cybersecurity?
Unlike GDPR, CCPA does not provide specific requirements about security and breach response. In fact, CCPA does not require organizations to report data breaches. That said, California does have its own data breach notification law, just like New York and every other US state.
The language of CCPA states that businesses must "implement and maintain reasonable security procedures and practices appropriate to the nature of the information", but does not specify what reasonable is.
We would think that reasonable security procedures would include:
- Data leak detection
- Vendor risk management
- Vendor risk assessment questionnaires
- Third-party security ratings
- Incident response planning
- The principle of least privilege
- Access control
- Vendor management policies
- Information security policies
- A third-party risk management framework
- A cybersecurity risk assessment process
Security ratings provide real-time access to broad and objective data about industry-wide security performance across multiple categories including risk of vulnerabilities, email spoofing, spyware, ransomware, computer worms, malware, phishing, spear phishing, domain hijacking and man-in-the-middle attacks, as well as lack of DNSSEC, DMARC, SSL and other cybersecurity measures.
10. How UpGuard can prevent data breaches and data leaks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.