The California Consumer Privacy Act (CCPA) was passed in 2018 by Jerry Brown with the aim of protecting consumer data from being shared, deleted, and given access to any third parties. This new guideline has gone into effect January 2020, the Attorney General will start delivering enforcement action in July 2020. This new act will impact any business that has clients in California – not just companies that have headquarters there.
An obvious example of a company that leverages personal data for profit would be Facebook. They deliver a free social media platform and in turn collect numerous amounts of data ranging from addresses, friends, affiliations, phone numbers etc. Facebook has been highlighted in the media due to 2018’s election scandal where Cambridge Analytica apparently leveraged consumer data from Facebook to assist with campaigning.
What does this mean for businesses?
Any business with customers/clients that reside in California (population 39.5M) will have to comply with these regulations. This will require massive overhauls of how businesses operate, so it will be disruptive. If you r company falls into any of these categories, you must start making adjustments:
- Gross Revenues + $25M (annual)
- If you buy/sell/receive personal data of 50,000+ customers, households, devices etc (annually)
- If 50% of your revenues come from selling consumer personal information.
Any company that is in the $25M+ range is slightly more than a small business and should already have some data governance in place. These companies will have to follow an outline, out measures in place and be able to prove that they are complying with the regulation. The measures will go back 12 months, so in theory, companies should have started this in 2019.
What types of Measures are required under CCPA
Data can be leveraged by many different departments within an organization, but it generally becomes an issue for IT, Security and Compliance Officers. “Reasonable” security requirements are being asked to be in place to demonstrate a CCPA compliant operation. These requirements are similar to other regulatory requirements, where the business is basically being asked to cover their butts in the case of a lawsuit. A lawsuit would be facilitated by negligence that caused harm.
- Although “Reasonable” is vague, the following practices should be in place to protect data:
- Count Connections – Know the specific hardware and software connected to your network (visibility)
- Secure Configs – Key security setting are implemented
- Control User Updates – limit user admin privileges
- Update – Continuously assess vulnerabilities and patch holes in software
- Protect Assets – Secure critical Assets
- Defenses – Defend against Malware and intrusion
- Access – Block vulnerable access points
- Staff – Provide security training to employees, contractors and vendors
- Monitor – monitor network/infrastructure and collect logs
- Test/Plan Response – continuously test and validate your defenses
Other practices that may help would include, Multi-Factor Authentication, Data Encryption and Fraud Alerting. The list can go on and on, but the threat landscape marries with compliance will most certainly drive businesses to be more responsible.
What specific data is covered under CCPA
There is a specific outline that demonstrates what type of data will fall under CCPA.
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
What are the associated penalties of not complying with CCPA
A class action lawsuit will cause the more financial damage for a business. A lawsuit situation would arise in the event that non-encrypted or no-redacted personal information is breached. The defending business would have the burden of proving that best practices were followed, and they could prove it with a log trail. There are also defined regulator penalties. The maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Others, who lack specific intent, will be subject to a smaller $2,500 fine.
How can Mindcentric assist with CCPA
Mindcentric works with clients to establish an ITIL defined IT operation with a full suite of security measures. Our team has worked within regulated industries since 1999, delivering fully secure and complaint IT solutions. Mindcentric’s core operation has headquarters in San Diego County and serves clients across the globe.