Senate Bill 1121, more commonly known as the California Consumer Privacy Act (CCPA) was passed on September 23, 2018, and becomes effective on January 1, 2020. Already being compared to the European Union’s General Data Protection Regulation (GDPR), the new law focuses on privacy rights and encompasses both consumer protection and data protection. Thus, organizations need to know how to secure and protect information to meet the CCPA’s regulatory requirements.

Understanding California’s New Data Privacy Law

What is the CCPA?

In response to increased data breach activity, the Californians for Consumer Privacy non-profit advocated for the new consumer protection law.

Their suggestions led to the creation of the bill which, incorporated under the California Civil Code, subject businesses to lawsuits and statutory damages when compromised data security leads to disclosure of consumer information.

Who enforces the CCPA?

The California Attorney General enforces CCPA fines. However, individual residents can also bring civil lawsuits against a business.

What are the fines and penalties for violating CCPA?

Statutory damages can be $100-$750 per California resident and incident, actual damages (if they are greater), or any other relief that the court determines.

Moreover, any intentional violation can be fined up to $7,500 while unintentional violations can incur a fine of up to $2,500.

How does the CCPA define personal data?

As part of the consumer protection initiative, the CCPA defines twelve categories of personal information:

1. Real name, alias, postal address, unique ID, IP address, email address, account name, social security number, passport number, or anything similar
2. Anything considered personal information in Civil Code 1798.80
3. Anything related to race, ethnicity, gender, or other protected class information as defined by California or federal law
4. Commercial information such as property records, products or services, or purchasing histories/tendencies
5. Biometric data
6. Any information collected from the internet or network activity such as browsing history, search history, or website/application/advertisement interaction
7. Geolocation data
8. Audio, electronic, visual, thermal, olfactory, or similar information
9. Psychometric information
10. Professional or employment information
11. Inferences made based on any of the other ten types of information
12. Any of these categories of data collected for children or minors

Who must be compliant with CCPA?

The CCPA creates broad privacy requirement. Unlike the EU, the United States lacks a cohesive data protection regulatory structure. CCPA enhances consumer protection by applying to businesses that meet any of the following three requirements:

1. Generate an annual gross revenue of over $25 million
2. Receive or share California resident personal information more than 50,000 people
3. Earn at least 50% of its revenue from selling California resident personal information.

Non-profits and companies not meeting the above requirements remain exempt.

Who is protected by the CCPA?

The CCPA defines consumers as

1. People living in California for more than a temporary period or
2. Residents of California, United States whose primary residence is in the state but live outside the state for a temporary period
3.  Customers of household good and services, employees, or business-to-business transactions.

Thus, even businesses not located in California may need to comply with the law.

What does “provide upon request” mean?

The CCPA allows consumers to request the personal data that a company collects. Moreover, it stipulates that the business provides at minimum a toll-free telephone number and website where people can request their information. Then, companies must disclose and deliver the information within 45 days of the request.

What is the “right to know”?

Any information that a business sells or that it discloses to a vendor falls under the consumer’s right to know. Not only does the company need to provide contact information about the third-party, but it also needs to explain the business purpose for disclosure/sale. If no business purpose exists, it has to tell the consumer.

What does a business need to do to comply with the “right to know” requirement?

First, the business needs to verify the customer request by linking information the consumer provides to information collected. Moreover, companies need to identify the category or categories of data collected for the preceding 12 months.

If the business sold or disclosed consumer information to a third party, they also must provide names and contact numbers for the third party and the categories of information sold or disclosed to the third parties for the preceding 12 months.

What is the “right to opt out”?

The right to say no, or “opt out,” means that a consumer can choose to keep a company from selling or disclosing information to a third party.

What do businesses need to do to comply with the “opt out” requirement?

First, a company needs to provide a “clear and conspicuous link” on the homepage that says “Do Not Sell My Personal Information.” Unlike the GDPR’s cookie policy which can be confusing, the CCPA requires specific language that a homepage needs to include.

If a business does not have this link on their homepage, the CCPA specifies that it needs to maintain a second website just for California residents that does include the link. Functionally, businesses need to choose between creating two websites or adding the disclaimer to their primary site, as such, simplifying the process by adding the link to the homepage creates a way for anyone, anywhere, to opt out.

On the “Do Not Sell” page, businesses need to outline their privacy policies and California-specific descriptions of rights. Moreover, they must clearly link to a California specific page detailing consumer privacy rights and opt-outs for the CCPA.

How ZenGRC Enables CCPA Compliance

CCPA compliance will require documentation collection, storage, and retrieval. Additionally, with more people interacting with vendors who interact with consumer data and employees monitoring consumer requests, CCPA compliance will require more communication between internal and external stakeholders.

With our workflow tagging, organizations can delegate tasks and follow progress to ensure appropriate completion. Particularly crucial for CCPA’s 45-day timeline, businesses can monitor consumer request fulfillment activities to maintain compliance.

Our task prioritization mechanism allows businesses to review workflows so that they can mitigate cyber risks as well as review controls within the organization necessary for maintaining opt-out and opt-in information.

Finally, ZenGRC acts as a single-source of information so that all workforce members involved in CCPA compliance can access the same information and documentation to support audits.

For more information, or to schedule a demo, contact us.