Following extensive media coverage of the Facebook-Cambridge Analytica scandal, the Equifax data breach, and countless other known data breaches, consumers have become more aware of how their personal data is being used and misused by companies.
In 2016, the European Union passed the General Data Protection Regulation (GDPR) which aims to protect consumer data and privacy. In the United States, no such national law exists. In the absence of comprehensive consumer privacy legislation at the federal level, California assembly member Ed Chau filed Assembly Bill 375, which later became the toughest, most extensive privacy law in the nation—the California Consumer Privacy Act (CCPA). “California took a historic step in enacting legislation to protect children and consumers by giving them control over their own personal data. Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice,” assembly member Ed Chau said when the CCPA bill passed.
This is a welcome change for consumers, but what does all this mean for businesses?
Good question. Businesses and industry groups have often complained that the CCPA as written is vague and in some areas inconsistent with current laws. Recent guidance and amendments in October 2019 have helped clarify those ambiguities and remove inconsistencies in the law. But with ever-changing definitions and duties, businesses are now in a race against the clock to implement a compliant privacy program before the CCPA and it’s amendments go into effect on Jan. 1, 2020. Realizing that cobbling together a privacy program in-house could leave businesses at risk, many are turning to consultants, services providers, and software vendors to ensure compliance with the law.
What exactly is CCPA and who does it apply to?
The California Consumer Privacy Act (CCPA) is a privacy and consumer protection law that gives California consumers more control over the personal data that companies collect, sell, and share. Consumers will have access to data related to what personal information is being collected and what information was shared or sold, and to whom it is sold. Individuals will also have the ability to opt out of the collection and sale of their personal data and, by law, will not be discriminated against for requesting this information or for opting out of data collection.
The CCPA applies to for-profit businesses operating in the state of California that meet one or more of the following requirements:
- Have gross annual revenues in excess of $25 million
- Annually buy or receive personal information of 50,000 or more consumers, households, or devices
- Derive 50% or more of its annual revenues from selling customers’ personal data
The CCPA does not apply to consumer data collected or sold wholly outside of California, nor does it apply to non-profit organizations.
Know where your company stores consumer data
To comply with the CCPA, it is necessary to know where your company stores its consumer data. Many companies accomplish this by completing a data inventory, followed by a data flow inquiry to understand how the data is used within and outside of the organization.
Questions companies should be able to answer include: where consumer data is obtained and stored, and whether it should it be secured; if the consumer data is meeting CCPA requirements upon collection; what kind of consumer data is it and for what business purposes is it used; what third parties have access to the data and how do they have categorize it; and if the data needs to be encrypted, redacted, anonymized, or disposed of.
CCPA personal information definition
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (Reference 1798.140). This does not include publicly available information that is made available from federal, state, and local government records.
Types of personal information data protected under CCPA:
Consumer data that is protected under the CCPA includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information, including an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, faceprints, a minutiae template, voiceprints, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information.
- Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information that is not publicly available.
- Education information that is not publicly available.
- Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
- “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
- Historical data; consumers have the right to access data dating back to the last 12 months.
- Category types of data collected on consumer and sold or shared to third parties.
Anonymize any consumer data you can
Some good news -- de-identified, anonymized, or aggregate data is not subject to the CCPA. Where feasible for your business, reduce the amount of personally identifiable information (PII) stored on your systems.
CCPA de-identified data
“De-identified” data means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information (1798.140).
Data de-identification, or data anonymization, includes deleting personal identifiers such as names and quasi identifiers like dates of birth. The CCPA prohibits de-identified data from being re-identified and requires controls to ensure that attempts to do so are prohibited.
Encrypt, mask, pseudonymize, and redact what consumer data you must keep.
What is encryption? Besides being being your saving grace regarding CCPA legislation, encryption is a way businesses can convert their sensitive data into code, making it unreadable to anyone except those given the decryption keys.
The CCPA explicitly calls for companies to encrypt personally identifiable information (PII) held on consumers. This is to prevent usage in the event the data is unlawfully hacked, leaked, stolen, or disclosed. To meet these requirements, encryption software uses cryptography to mask files, text, and data, protecting information from undesired parties. Encrypted data is transcribed into ciphertext where it becomes unusable to those without an encryption key to decrypt the information. Companies utilize these tools to ensure their sensitive data is secured even in the event of a breach.
CCPA data pseudonymization
This renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.” (1798.140).
Data masking, or data obfuscation, is a strategy to prevent misuse of data by employees or insider threats. The consumer data retains its identifying features like age range and zip code for example, but removes identifying information such as name, addresses, phone numbers, and other sensitive data. This allows the company to use realistic data for testing and development, without exposing personally identifiable information to everyday users. Data-masking software protects an organization’s important data by disguising it with random characters or other data so that it is still usable by the organization but not outside forces.
Data redaction is a method where information is retained, but only visible to users with the right permissions. For example, instead of showing a non-privileged user a consumer’s Social Security number, the non-privileged user would see xxx-xx-xxxx.
CCPA compliance software
What kind of software are companies using to comply with the CCPA? Short answer, a whole slew of data protection software and services, including:
- Data privacy software - Data privacy software is used to find, organize and deliver sensitive data in a way that maintains compliance standards.
- Data inventory or mapping software - Data inventory software helps businesses discover where their sensitive data is.
- Data-centric security software - Data-centric security software helps businesses discover their data discovery, manage policies, manage access control, and monitor data use.
- Data loss prevention (DLP) software - DLP software facilitates data identification and discovery, plus detects data leaks or misuse.
- Data governance software - Data governance software enforces data-related policies as well as maintains data quality.
- Encryption software - Encryption software allows companies securely store consumer data so hackers can’t use it in the event of a data breach.
- Encryption key management software - Encryption key management software manages the administration, distribution, and storage of encryption keys.
- Data masking software - Data masking software disguises a company’s collected consumer data with random characters or other data so that it is unusable by outside actors, but still usable within the organization.
- Incident response software - Incident response software helps to stop data breaches.
- Contact center software - Per the CCPA, businesses must provide a toll-free number for California consumers to request their data or request deletion. Contact center software can assist with managing those calls.
- Vendor risk management software - Vendor risk management software helps ensure your vendors are properly using your data.
- Data Subject Access Request (DSAR) Management Software - DSAR Management software offer a way to manage consumers’ request for personal information or data deletion requests.
- Consent or opt-in/out management software - Consent management software tracks opt-out requests to avoid unauthorized sale or distribution of consumer data.
- Policy & notice management software - Policy and notice management software manages a terms, conditions, and disclosures.
- Disclosure management software - Disclosure management software consolidates compliance information.
- Third-party and supplier risk software - Third-party & supplier risk management software gathers and manages vendor risk data to protect companies from issues such as data breaches or noncompliance.
- Privacy services - Privacy service consultants assist companies in achieving CCPA and other privacy regulatory compliance.
- Data security services providers - Data security providers assist businesses with data protection.
- Incident response service providers - Incident response service providers assist in the remediation efforts following a cyberattack.
So, is the CCPA a cybersecurity law?
In short, yes. The CCPA is both a consumer privacy law and a cybersecurity law, as it is prescriptive on how companies must secure consumers’ personally identifying information (PII) and related data in the event of a data breach. Specifically, the CCPA calls out the need to encrypt and anonymize identifiable consumer data to avoid fines.
CCPA non-encryption fines
Any non-encrypted or non-redacted consumer personal information that is hacked, stolen, accessed by an unauthorized user, or otherwise disclosed is subject to civil action to recover damages of no less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater. (Paraphrasing Section 1798.150)
CCPA noncompliance penalties
If the California Attorney General notifies a business of noncompliance with the CCPA, the business must cure those violations within 30 days or may be subject to civil penalties. Intentional noncompliance will result in fines up to $7,500 for each violation. (Paraphrasing Section 1798.155)
Data breaches & consumers’ legal recourse
Didn’t bother to encrypt your sensitive consumer data? Get ready to shell out some cash. Consumers have legal recourse if they discover plain-text, non-encrypted, or non-redacted consumer data was hacked, stolen, or otherwise disclosed due to the business’ inability to maintain reasonable security protocols. Consumers must notify the business of the disclosure of their personal data and businesses have 30 days to remedy the issue. If the issue is not satisfactorily remedied at that time, consumers may notify the Attorney General (AG) and the AG will determine if they will prosecute the business. If the AG finds the company intentionally violated CCPA provisions, the company may be liable for civil penalties of up to $7,500 for each violation. If the AG does not prosecute within 6 months, consumers can take civil action to recover damages in the amount of no less than $100 and no more than $750 per incident, may ask the courts for injunctive or declaratory relief, or any other relief deemed proper by the courts.
Businesses have long argued that the CCPA has vague compliance guidance, that the timelines are unachievable, and that it contains conflicting obligations to consumers based on existing laws. On Oct. 11, 2019, several amendments to the CPPA were passed to provide clarification, address incongruencies, and provide compliance timeline extensions to certain groups.
A look ahead at future privacy regulations
The CCPA is just the beginning. Looking ahead, businesses should expect a patchwork of privacy regulations in the coming years. Over half of U.S. states brought forth some type of consumer privacy legislation in 2019, but many of those bills did not pass to become law (yet). States including Connecticut, Louisiana, and Texas passed legislation setting up a consumer privacy task forces to study the issue.
A patchwork of state-based privacy regulation will make achieving compliance even more difficult. Privacy legislation has been discussed at the U.S. federal level to supersede states’ legislation, but bills have stalled in Congress. Regardless, businesses can expect more data privacy regulations in the near future. Begin preparing your business strategies to adapt in a changing legal landscape.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*