CCPA grants Californian consumers privacy rights while imposing obligations on businesses. Learn how to meet these obligations and achieve CCPA compliance.
Performing everyday operations, businesses collect a huge amount of consumers’ personal data. In fact, they often collect more information than they expect. In the context of the California Consumer Privacy Act (CCPA), the privacy of personal data is one of the greatest consumer values. Thus, CCPA grants Californian consumers specific privacy rights while imposing various obligations on businesses. To fully meet these obligations, businesses should strive for CCPA compliance.
In our previous post, we highlighted the core aspects of CCPA, mainly focusing on rights that the statute grants for California citizens. In this article, we are getting closer to the CCPA compliance and data privacy security requirements that businesses must meet to avoid trouble.
The first step to successful CCPA compliance is identifying all the information businesses hold and transmit. This process is not as simple as it may seem at first glance. Getting down to identification, organizations are recommended to divide all information collected into smaller groups and center it around the following questions:
Answering these questions helps businesses to properly understand the amount and nature of data collected and transmitted. With this understanding, businesses can successfully proceed with the next stages of CCPA compliance.
CCPA compliance starts with figuring out from what consumer groups businesses collect information. Typically, the list of such information is more or less the same, and all businesses arrive at the following consumer groups:
Businesses must have a clear vision of what all these consumer groups mean under CCPA. For instance, one must consider customers not just as “consumers” but as any California resident. It is also essential to maintain that internal consumer groups, such as employees and job applicants, are also protected under CCPA, though they are treated differently. The main difference is that internal consumers can make to-know-requests, but they don’t have the right to make privacy requests, such as requests to delete.
Categorizing various consumer groups, businesses can more accurately understand what information they are collecting. The “what-question” may be partially answered after reviewing the forms of interactions with customers. For instance, consumers that made a newsletter subscription are generally required to provide an email address. Web-site visitors have probably left their IP addresses or geolocation data. In contrast, those who accomplished online purchases likely provided much more personal information such as name, phone number, address, etc.
Having identified the information collected from the specific groups, businesses should narrow it to personal information for CCPA purposes. As CCPA defines personal information very broadly, businesses should approach narrowing personal data from the opposite premise. In other words, it is logical to exclude data that is not personal information under CCPA, particularly – de-identified or aggregate information, publicly available information, and information collected according to other federal or state laws (such as HIPAA). The data, which was not excluded, belong to personal information under CCPA.
After completing the above data identifications, businesses are ready to set about the specifiers of disclosing personal information to outside parties. CCPA likens outbound information to sharing and selling it to other businesses and third parties. Understanding the principles of such a distribution is very important for further CCPA compliance because information disclosure may have different implications depending on how and to whom it is disclosed. In general, selling personal information to third parties implies satisfying customers’ opt-out and to-know requests. However, there is a critical exception regarding service providers.
CCPA defines a service provider as an entity that processes information on behalf of a business but is prohibited from retaining, using, or disclosing personal information. Precisely speaking, disclosure of personal information to service providers is not qualified as selling, so it cannot be affected by consumers’ opt-out requests. The prohibition from retaining, using, or disclosing should be clearly stated in the contract with a service provider. Thus, the CCPA compliance also requires businesses to review the contract language with their vendors, which may probably prevent them from responding to many opt-out requests and make compliance more effortless.
The final component of CCPA compliance is responding to privacy requests from consumers. Based on their rights, consumers can make requests to businesses regarding personal information collected about them. These requests include the request to know, request to delete and request to opt-out.
This section will not specify each privacy request because we already made it in our previous post. But instead, we will identify the key issues that businesses should be aware of when responding to each type of privacy request.
There are many security concerns associated with disclosing personal information, unauthorized disclosure, selling, identity theft. To minimize the possibility for the occurrence of any of these concerns, consumers’ requests to know must be verifiable. To determine the appropriate verification level, businesses should consider the sensitivity of the data they work with.
For instance, email verification is usually sufficient for responding to the requests-to-know categories of information collected. To satisfy the requests-to-know specific information, one should require additional security steps, such as the account login or user ID (if the customer has created one). Businesses must remember that they cannot disclose social security numbers, driving licenses, financial account numbers, biometric data, and other sensitive information even if they obtain the requests to know. In these cases, the business should only describe the type of information collected.
The requests to delete generally require similar verification mechanisms, but the verification level depends on the deleted information type. For instance, such sensitive information as family photos or video records can be deleted only after verifying the requestor’s identity to a reasonably high degree of certainty.
Unlike requests to know and delete, opt-out requests do not have a clear requirement for a person’s verification. CCPA states that selling data must be stopped after a customer’s direction. However, businesses can deny a request if they have a reasonable cause to consider the request as fraudulent.
CCPA focuses on the privacy aspect of personal information; however, security is still enforced. While the statute does not explicitly impose data security requirements, it recognizes a business’s duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure” (1798.150).
It is also important to note that under CCPA, any business that violates the duty to implement and maintain reasonable security procedures and thereby put customers’ personal data to a threat of unauthorized access and exfiltration, theft, or disclosure may be subjected to fines, injunctive, or declaratory relief, and any other relief the court deems proper. In most cases, the amount of financial recovery ranges from $100 to $750 per consumer per incident or actual damages, whichever is greater.
To avoid penalties, reliefs, and a bad name, businesses are encouraged to improve privacy and security practices and reduce the number, size, and impact of data breaches. The recommended cybersecurity practices may be found in the California Attorney General’s February 2016 Data Breach Report. According to the report, the basic steps for conducting the security risk management either under CCPA or in the context of any other statute or regulation should include:
Businesses should conduct risk assessments regularly to review the sensitivity of consumers’ personal information and identify potential and existing risks to the security and privacy of this information.
It is necessary to look for adherence to security standards that define the scope of security controls, the criteria for evaluating their effectiveness, and the procedures for dealing with security failures. Among the best-known foundational standards for personal data security and protection are NIST SP 800-122, ISO/IEC 27001, ISO/IEC 27002:2013, etc.
Businesses must always use multi-factor authentication to protect consumers’ personal information and make it available on web-based online accounts (such as shopping accounts) containing sensitive personal data.
Strong data encryption is imperative for those working with sensitive personal data. Thus, businesses must use strong encryption mechanisms to protect customers’ data both in transit or at rest, regardless of where it is sold or shared.
These steps are the minimum of personal information security requirements that businesses should maintain to keep consumers’ data safe and avoid potential lawsuits and penalties.
If you have any questions regarding CCPA compliance and data privacy security, consult our Planet9 team. We’ll be happy to assist.