On September 10, 2019 – I presented the webinar on What is the CCPA and Why Should you Care?, which you can now watch on-demand here. If you are in scope for the California Consumer Privacy Act (CCPA) and are not nearing completion on it, then expect to spend a lot of long weekends in the office in the coming months.
On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect. If you are familiar with the General Data Protection Regulation (GDPR) from the European Union, then the CCPA won’t be such a momentous initiative. If you want to see the differences between the two, here’s a helpful CCPA and GDPR comparison guide from the Future of Privacy Forum. But to the point - CCPA will be the toughest data privacy law in the United States.
The CCPA aims to provide enhanced privacy rights and consumer protection for California residents. It gives these residents numerous rights around their data. Some of the new rights they have include:
- Business must disclose the personal data collected, sold, or disclosed for a business purpose about a consumer. And also inform consumers the categories of personal data collected and the purposes for which their personal data will be used.
- Not to discriminate against a consumer who exercises their CCPA rights. That runs the gamut from pricing, quality, service levels and more.
- Provide the consumer with access to their data.
- Upon request, delete personal data of the consumer. If you have shared that personal data with a 3rd-party, they must also delete that data.
- Provide the consumer with the ability to opt-out. You must give them the right to opt out of the sale of their personal data. Part of this includes easy to use links to do that from your web site.
The CCPA may apply to you if you are a business that collects the personal data of California consumers and does business in California. That means there are a huge number of businesses that are now in scope for this regulation. If you are one of those businesses, then each of those five items listed above means you have a lot of work to do.
What is considered personal data under CCPA?
Since personal data is what drives everything, it’s crucial to fully understand what CCPA considers personal data. Like GDPR, CCPA takes a far-reaching approach to what it regards as personal data. Section 1798.140(o)(1) of the CCPA bill defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
That section includes the standard identifiers such as name, address, passport number, social security number, driver’s license number, and much more. But it also extends into other information such as biometric data, audio, electronic, visual, thermal, olfactory, or similar information, Internet or other electronic network activity information, geolocation data, and lots more. And I mean lots, lots more. In fact, it might be easier at first to say what’s not personal data, than to define what is.
Start working on your CCPA compliance plan
For any business of substantial size, it’s highly likely that you are in scope for CCPA. Don’t think of trying to play wait and see with CCPA. It’s not going away, and hoping it does will prove a foolish business decision. The EU has recently issued hundreds of millions in fines against companies for GDPR violations. The State of California will have similar enforcement capabilities. CCPA is not poker and there’s no way to bluff yourself out of it.
CCPA is huge. Read the details and it’s easy to see that CCPA requires firms to make major infrastructure changes. CCPA mandates a significant amount of new processes around data collection. It requires significant reengineering and rearchitecture around how personal data is handled.
If you think you are in scope for CCPA, take a few days to read everything you can on the topic. The more educated you are about the act, the better you can deal with it.
And for a deeper dive on this subject, check out my on-demand webinar here.
Ben Rothke, Senior Security Consultant, Nettitude
Ben Rothke (@benrothke) is a senior security consultant with Nettitude and has over 15 years of industry experience in information systems security and privacy. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies.
He is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill) and a speaker at industry conferences, such as RSA and MISTI, and holds numerous industry certifications.