The California Consumer Privacy Protection Act (CCPA) is a California law that establishes mandatory requirements for all organizations storing and processing personal data of California residents. It gives consumers unprecedented rights in managing their data, including:

• Right to opt-out: A consumer has the right, at any time, to direct a business that sells personal information about the person to third parties not to include their personal information in the transaction. 
• Right to notice: A consumer has the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, explicitly notifies the consumer. about any such transaction.
• Right to disclosure: A consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer what information is collected, for what purpose, and what third parties it is shared with. 
• Right to deletion: A consumer has the right to request that a business delete any personal information about the consumer which the business has collected.
• Right to equal services and prices: A business shall not discriminate against a consumer because the consumer exercised any of their rights under this title.

CCPA has a broad definition of Personal Information (PI), including real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, Social Security Number, driver’s license number, passport number, and any other similar identifiers. The broad umbrella also includes any other information that may directly or indirectly identify an individual, including records of personal property, products or services purchased, Biometric information, Geolocation data, Professional or employment information, and educational records. 

Organizations are also required to implement and maintain reasonable security procedures and practices to protect personal information.

According to the regulation, any legal entity that meets any of the following thresholds must meet the compliance requirements:

• Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
• Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
• Derives 50% or more of its annual revenues from selling consumers’ personal information.

Companies comply with CCPA for many reasons, including:

• Protecting PI is a legal and moral obligation for all organizations;
• Most enterprises have a process in place to assess their vendors’ compliance with CCPA. If the vendor doesn’t have sufficient policies, processes, and technologies implemented, the company will not sign a contract with them;
• If a company experiences a personal data breach, the affected consumers may institute a civil action for any of the following:
• • To recover damages in an amount not less than $100 and not greater than $740 per consumer per incident or actual damages, whichever is greater;
  • Gain injunctive or declaratory relief; and
  • Request any other relief the court deems proper.

• Additionally, any business that fails to address non-compliance within 30 days is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation;
• Furthermore, other negative consequences include:
• • Loss of customers’ and consumers’ trust;
  • Loss of existing and prospective contracts; and
  • Damage to their public image.

There is not a one-fits-all approach to CCPA compliance as different organizations have different people, processes, and technologies. However, there are general requirements that must be met by all organizations, including:

• Identify and monitor all processes for collection, storage, and sharing of regulated data
• Implement data privacy policies and procedures
• Provide consumers with ways to exercise their legal rights
• Ensure the lawfulness of data sharing with third parties
• Document breach notification procedures
• Sign appropriate agreements with third parties
• Ensure reasonable security of personal information

Organizations that want to comply with CCPA’s requirement to protect personal information should consider implementing the Center of Internet Security (CIS) Top 20 Critical Security Controls (CSC) framework as their minimum level of security. 

The “California Data Breach Report 2012-2016” published by California Attorney General Kamala D. Harris states, “… The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security …”

The purpose of the CIS CSC is to help organizations address the most common cybersecurity risks. The 20 CIS controls have been prioritized based on their effectiveness in mitigating cyberattacks. The list has been developed by security experts from the US National Security Agency (NSA), the US Department of Energy nuclear energy labs, law enforcement organizations, and some of the nation’s top forensics and incident response organizations.

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in the various industries that can help with addressing all CCPA requirements. A typical approach consists of the following process:

• Conduct a discovery to understand the clients’ organization, business processes, and technologies
• Identify all client’s data and third parties in the CCPA scope
• Perform a CCPA assessment to identify compliance gaps
• Develop a roadmap for addressing the identified compliance gaps and risks
• Assist the client on executing the roadmap

Depending on the clients’ internal resources expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own, or supplement the clients’ team.