The U.S-based consumer privacy bill, more commonly known as the California Consumer Privacy Act122599 (CCPA), took effect on January 1, 2020, and established new guidelines to reshape the way organizations store, share, and monitor customer data.
These new guidelines came hot on the heels of Europe’s General Data Protection Regulation (GDPR) and focus on empowering consumers by giving them more control over the data they produce and share with businesses.
After CCPA enforcement began in earnest on July 1, 2020, many organizations have adjusted their data security approach. Since the CCPA came into effect, there have been over 50 lawsuits due to data breaches, violations of notification requirements, and other privacy rights violations.
But what exactly is the CCPA? How does it impact your business and how you manage user data? This blog post gives you a complete rundown of everything you need to know about the CCPA and examines why compliance is critical.
What is the California Consumer Privacy Act (CCPA)?
The CCPA is a privacy law passed in June 2018 that provides new rights to Californian consumers. They include the right to know which personal information a business collects, how that data is used and shared, as well as the rights to have personal information deleted and to opt-out of the sale of their personal information.
One of the most notable rights included in the CCPA law is that Californian residents have the right to demand access to all the data a company stores about them. Any company that fails to follow the CCPA requirements is liable to fines and legal action under California law.
CCPA fines range from up to $2,500 per unintentional violation to $7,500 per intentional violation. There are also fines for “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Data breach fines range from $100 to $750 per consumer per incident or actual damages.
It’s important to note that the CCPA also overrides waivers. The law states that companies can’t make customers waive their rights, and any contract that attempts to do so is unenforceable. In short, enterprises must change their data handling practices and embrace transparency to avoid sanctions.
Which Organizations Does CCPA Affect?
CCPA requirements affect any business engaging in commercial activities in California that:
- Have gross annual revenue of over $25 million
- Buy, receive, sell or process the personal information of more than 50,000 California residents a year
- Generate more than 50 percent of its annual revenue from selling the personal information of California residents.
According to the law, a business is a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.”
The requirements also extend to any entity that controls or is controlled by a business that meets the conditions above and shares common branding, such as a shared name or trademark.
The key take-home is that the CCPA doesn’t just apply to businesses physically located in California but to all enterprises that conduct business with the state’s residents, excluding non-profit organizations and government agencies.
What Data is Affected by CCPA Law?
Under the CCPA, all California residents’ data is protected, including the consumer’s name, alias, address, social security number, email address, geolocation data, fingerprints, biometric data, driver’s license number, passport number, purchase history, and browsing history.
Personal information doesn’t include publicly available information like professional license or property records. The CCPA also doesn’t apply to data that is protected by regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA).
While a healthcare provider that stores HIPAA protected data won’t be subject to CCPA requirements for that information, they may still be liable to protect other customer data if they hold additional information on Californian residents.
Why is CCPA Compliance So Important?
Complying with the CCPA is necessary to grant Californian residents control over their data and avoid fines. If regulators discover a violation, they will notify the offending company, who will have 30 days to rectify the issue.
If a company fails to resolve the issue in 30 days, a regulator will issue a fine of $7,500 per violation. These fines can add up very quickly if lots of violations occur or if there’s a data breach.
Individuals can also sue for damages. Customers can send written notices to companies that violate their privacy rights, and the company will have 30-days to respond. For example, if your website doesn’t offer users the chance to opt-out of data sharing, an individual can react with a class action suit.
CCPA violations can also snowball and overlap with other legal violations. In the Todd Hurvitz vs. Zoom Video Communications Inc. class action suit, the plaintiffs alleged that Zoom violated the CCPA by failing to provide notice about the use of personal information collected and argued this violated the California Unfair Competition Law.
The devastating combination of fines and legal liabilities constitutes an existential threat to enterprises that don’t comply. Refining your data collection and management processes is now business-critical if you want to interact with Californian customers without running into problems.
What Does CCPA Mean for Security Awareness Training
With the CCPA recently coming into effect, US enterprises need to be prepared and create new data management and cyber security strategies from the ground up, which means your security awareness training needs to:
1. Make preventing data breaches a top priority
The CCPA has raised the financial damage of a data breach dramatically. With new legal and financial liabilities, security awareness training and phishing simulation tools are a must-have for mitigating common cyber threats and stopping hackers in their tracks.
2. Educate your employees about CCPA and cyber threats
With new regulations emerging, cyber security leaders need to be proactive in ensuring that employees know about CCPA requirements and consumer rights to avoid noncompliance. Employees also need to know to avoid common cyber threats like phishing attempts that lead to data breaches.
3. Appoint cyber security heroes to manage CCPA compliance and security threats
Promoting cyber security heroes in your team to monitor CCPA compliance and employee phishing awareness is an effective way to avoid costly violations. Proactive monitoring will verify that data handling practices are up to scratch and indicate ways to change behavior to better secure customer data.
4. Ensure all applications and infrastructure are up-to-date
Ensuring that all applications and infrastructure are up-to-date is vital for preventing hackers from breaking into your IT resources and stealing private data. Installing malware protection and anti-spam software will eliminate entry points and vulnerabilities that cyber criminals can exploit.
5. Provide ongoing communication about cyber security and CCPA best practices
Sending out regular emails and notices with guidance on how to adhere to the CCPA and general cyber security best practices will give your staff the awareness to comply with access requests and protect the information you hold on customers.
6. Implement network access rules
Implementing network access rules that limit the use of personal devices is necessary to prevent employees from accidentally sharing private data outside of your corporate network and opening the door to legal liabilities.
The GDPR and the CCPA each call for a change in how businesses manage customer data. The only way to comply is to embrace cultural change and place compliance with your company culture’s heart.
Providing employees with guidance on the requirements of the CCPA and how to handle personal information is your best chance at complying with the regulations and avoiding unnecessary fines.
Security awareness training is an invaluable tool you can use to educate employees about CCPA requirements and cyber threats, so they know how to handle data legally and securely. The good news is that enterprises compliant with the GDPR only need to make a handful of changes to comply with the CCPA.
Ultimately, while the CCPA will force companies to change how they manage customer data, it also presents an opportunity to enhance your data management practices for the better and support US consumers’ privacy rights.
How To Make Data Privacy A Year-Round Focus
Data Privacy Day is critical in raising awareness and getting conversations started about data privacy. However, to really develop a data privacy secure culture, you must make data privacy a year-round focus.
Do this with the tools in our Data Privacy Awareness Kit and by putting a focus on cyber security awareness. These two go hand-in-hand in creating a secure organization.
When people know the risks associated with sharing their data, they think twice about giving up their personal information.