CCPA compliance is a must-have for many businesses operating in California. Learn about the main obligations under CCPA and how to apply them in practice.
In 2018, the California Consumers Privacy Act (CCPA) introduced stringent requirements for businesses operating in California, emphasizing the protection of consumer data. Since that, CCPA compliance has become a must-have for many businesses operating in California.
This CCPA compliance guide is aimed at providing a step-by-step approach to business obligations under CCPA and helping businesses navigate the complexities of CCPA compliance.
The California Consumer Privacy Act of 2018 (CCPA) is a California state statute intended to give consumers more control over their personal information. CCPA provides privacy rights for California consumers, including:
As of January 1, 2023, under Proposition 24, the California Privacy Rights Act CPRA amended the CCPA and granted new additional rights to Californian consumers, such as:
However, CCPA compliance is not limited to granting customers their rights. Businesses subject to the CCPA have many other responsibilities, including third-party obligations and implementing robust security practices. General guidance on how to implement the law can be found in CCPA regulations.
This blog provides a general approach to CCPA compliance.
Identifying and monitoring data is an essential step toward CCPA compliance. It helps you identify the types of information your company holds. You should survey all areas of your business – from Marketing to Vendor Management – to identify all the sources of the information obtained and places it may exist. The data inventory should include the following:
Once you have a clear understanding of your data and its locations, you can use the data inventory to exercise the necessary data security and privacy requirements mandated by the CCPA.
Make the consumer data privacy rights established by the CCPA central to your compliance efforts. Develop processes and protocols for handling consumer requests to exercise these rights. For example, if a consumer invokes their right to delete, ensure you know the location of the relevant data and have an established process to securely delete it while notifying the consumer in a CCPA-compliant manner. Be ready to efficiently and fully comply when consumers exercise their rights.
According to the CCPA, if your business collects personal information from California consumers and then discloses that information to another party, you must establish a contract with that party. The contract should include the following provisions:
The settlement with Sephora underscores how critical it is to maintain the lawfulness of data sharing with third parties. Like most other online retailers, Sephora used tracking software and apps to monitor consumers’ website activity. They enable third parties to create consumer profiles by tracking user activities and collecting information about their customers. Such activities are classified as sale under CCPA and require businesses to disclose whether they “sell” personal information. It would possible to avoid qualifying these data transactions as sale by signing service-provider contracts with third parties. However, Sephora did neither and was fined by Californian Attorney General on $1.2 million. More on that read in one of our previous articles titled CCPA Showed Its Teeth. $1.2 Million Fine For Selling Callifornians’ Data
California Data Breach Notification Law requires businesses or state agencies to notify any California resident whose unencrypted personal information, was disclosed to an unauthorized person. A business that suffered a data breach must provide a data breach notification – Notice of data breach. The notification must include the following information (provided that information is available to the business at the time notification is sent):
Any person or business issuing a security breach notification shall electronically submit a copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.
According to the CCPA, all covered businesses must protect personal data using “reasonable” security measures. Adopt a risk-based approach to cybersecurity by assessing the risks associated with different data types and prioritizing them from most vulnerable to least vulnerable. Enhance systems and technology in areas where the risk is greatest. While implementing a new security and privacy platform for high-risk data can be costly, the potential fines and penalties for inadequate measures in case of a breach may exceed the costs of upgrading.
Businesses should use the Center of Internet Security (CIS) Top 20 (now top 18) Controls framework for ensuring data security. The controls include
“California Data Breach Report 2012-2016” published by California Attorney General Kamala D. Harris states, “… The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security”.
Achieving CCPA compliance is not a one-time task but an ongoing commitment. By carefully fulfilling business obligations under CCPA, businesses can proactively ensure compliance with CCPA regulations. Embracing CCPA compliance is a critical step toward establishing a strong foundation for data protection and maintaining consumer trust in the digital age.
If some questions regarding CCPA compliance remained unanswered, contact our Planet9 team. We’ll be happy to assist.