CCPA Compliance: What are Business Obligations?

CCPA compliance is a must-have for many businesses operating in California. Learn about the main obligations under CCPA and how to apply them in practice.

In 2018, the California Consumers Privacy Act (CCPA) introduced stringent requirements for businesses operating in California, emphasizing the protection of consumer data. Since that, CCPA compliance has become a must-have for many businesses operating in California. 

This CCPA compliance guide is aimed at providing a step-by-step approach to business obligations under CCPA and helping businesses navigate the complexities of CCPA compliance. 

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is a California state statute intended to give consumers more control over their personal information. CCPA provides privacy rights for California consumers, including: 

• The right to know about the personal information a business collects about them, including how this information is used and shared;
• The right to delete personal information collected from them;
• The right to opt-out of the sale or sharing of their personal information; and
• The right to non-discrimination for exercising their CCPA rights. 

As of January 1, 2023, under Proposition 24, the California Privacy Rights Act CPRA amended the CCPA and granted new additional rights to Californian consumers, such as:

• The right to correct inaccurate personal information that a business has about them; 
• The right to limit the use and disclosure of sensitive personal information collected about them.

However, CCPA compliance is not limited to granting customers their rights. Businesses subject to the CCPA have many other responsibilities, including third-party obligations and implementing robust security practices. General guidance on how to implement the law can be found in CCPA regulations. 

This blog provides a general approach to CCPA compliance. 

CCPA Compliance Guide

Step 1: Identify and monitor all processes for the collection, storage, and sharing of regulated data for your CCPA compliance

Identifying and monitoring data is an essential step toward CCPA compliance. It helps you identify the types of information your company holds. You should survey all areas of your business – from Marketing to Vendor Management –  to identify all the sources of the information obtained and places it may exist. The data inventory should include the following:

• Reviewing all areas of your business that deal with personal information. This may be your website, forms at retail locations, mail, and email, employment applications, call center recordings, service providers, tenants, marketing, etc.
• Identifying all categories of personal information received. The CCPA defines personal information as “information linked directly or indirectly to a specific consumer or household”. The personal information includes contact information, IP addresses, ethnicity, biometrics, internet browsing data, purchase history, geolocation data, academic and employment details, and browsing details.
• Identifying the sources of each category of personal information. This includes determining whether the information is obtained directly from the individual, indirectly through a third party, or observed through your own activities.
• Identifying all purposes for collecting the data and its intended uses for each category of personal information.
• Determining the legal retention period for each category of information to appropriately honor deletion requests.
• Identifying all entities that have access to the information, including the purpose of access, whether a contractual agreement is in place, and whether the entity may use the information for its own commercial purposes.

Once you have a clear understanding of your data and its locations, you can use the data inventory to exercise the necessary data security and privacy requirements mandated by the CCPA. 

Step 2: Implement data privacy policies and procedures

To maintain CCPA compliance, businesses should review their Privacy Policies. Your Privacy Policy must address all the data privacy and security rights provided by the CCPA and outline procedures for granting these rights. Update your privacy notices and include them in your Privacy Policy. The following privacy notices are required: 

• Notice on collection
• Notice on the right to opt-out of the sales or sharing of personal information
• Notice on the right to limit the use of sensitive personal information
• Notice on financial incentives

By ensuring that your privacy policy covers all of the CCPA rights and requirements, you can help ensure compliance with the CCPA.

Step 3: Provide consumers with ways to exercise their legal rights

Make the consumer data privacy rights established by the CCPA central to your compliance efforts. Develop processes and protocols for handling consumer requests to exercise these rights. For example, if a consumer invokes their right to delete, ensure you know the location of the relevant data and have an established process to securely delete it while notifying the consumer in a CCPA-compliant manner. Be ready to efficiently and fully comply when consumers exercise their rights.

Step 4: Ensure the lawfulness of data sharing with third parties for your CCPA compliance

According to the CCPA, if your business collects personal information from California consumers and then discloses that information to another party, you must establish a contract with that party. The contract should include the following provisions:

• Clearly specify that the personal information is sold or disclosed only for specific and limited purposes.
• Oblige the recipient party to comply with all relevant obligations under the CCPA. The recipient should also provide the same level of privacy protection to the data as required by California’s privacy laws.
• Grant your business the right to take reasonable and appropriate measures to ensure that your third party uses the personal information in a manner consistent with your business’s legal obligations.
• Require the third party to notify your business if they determine that they can no longer fulfill their obligations under California privacy law.
• Grant your business the right to take reasonable and appropriate steps, in accordance with the CCPA, to prevent and address any unauthorized use of personal information.

The settlement with Sephora underscores how critical it is to maintain the lawfulness of data sharing with third parties. Like most other online retailers, Sephora used tracking software and apps to monitor consumers’ website activity. They enable third parties to create consumer profiles by tracking user activities and collecting information about their customers. Such activities are classified as sale under CCPA and require businesses to disclose whether they “sell” personal information. It would possible to avoid qualifying these data transactions as sale by signing service-provider contracts with third parties. However, Sephora did neither and was fined by Californian Attorney General on $1.2 million.  More on that read in one of our previous articles titled CCPA Showed Its Teeth. $1.2 Million Fine For Selling Callifornians’ Data 

5. Document breach notification procedures

California Data Breach Notification Law requires businesses or state agencies to notify any California resident whose unencrypted personal information, was disclosed to an unauthorized person. A business that suffered a data breach must provide a data breach notification – Notice of data breach. The notification must include the following information (provided that information is available to the business at the time notification is sent):

• Contact information and the name of the company or individual responsible for reporting the data breach.
• A comprehensive list of the types of information believed to have been compromised.
• The specific date or estimated range of dates during which the data security breach occurred.
• A brief summary describing the incident that resulted in the data breach.
• Provided toll-free numbers and addresses for the three major credit reporting agencies, in cases where the breach involved the exposure of California identification card numbers, driver’s license numbers, or Social Security numbers.
• Offer suitable mitigation services and identity theft prevention for affected individuals for a minimum period of one year, if the entity reporting the breach is also the source of the data breach.
• Clear instructions on how individuals can take advantage of the offered year-long mitigation and identity theft prevention services.

Any person or business issuing a security breach notification shall electronically submit a copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. 

Step 6: Ensure reasonable security of personal information

According to the CCPA, all covered businesses must protect personal data using “reasonable” security measures. Adopt a risk-based approach to cybersecurity by assessing the risks associated with different data types and prioritizing them from most vulnerable to least vulnerable. Enhance systems and technology in areas where the risk is greatest. While implementing a new security and privacy platform for high-risk data can be costly, the potential fines and penalties for inadequate measures in case of a breach may exceed the costs of upgrading. 

Businesses should use the Center of Internet Security (CIS) Top 20 (now top 18) Controls framework for ensuring data security. The controls include

• Inventory and Control of Enterprise Assets
• Inventory and Control of Software Assets
• Data Protection
• Secure Configuration of Enterprise Assets and Software
• Account Management
• Access Control Management
• Continuous Vulnerability Management
• Audit Log Management
• Email and Web Browser Protections
• Malware Defenses
• Data Recovery
• Network Infrastructure Management
• Network Monitoring and Defense
• Security Awareness and Skills Training
• Service Provider Management
• Application Software Security
• Incident Response Management
• Penetration Testing

 “California Data Breach Report 2012-2016” published by California Attorney General Kamala D. Harris states, “… The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security”. 

Conclusion

Achieving CCPA compliance is not a one-time task but an ongoing commitment. By carefully fulfilling business obligations under CCPA,  businesses can proactively ensure compliance with CCPA regulations. Embracing CCPA compliance is a critical step toward establishing a strong foundation for data protection and maintaining consumer trust in the digital age.

If some questions regarding CCPA compliance remained unanswered, contact our Planet9 team. We’ll be happy to assist.

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646