The European Union (EU) General Data Protection Regulation (GDPR), New York "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, and other data security regulations impact businesses around the world. In addition to these regulations, certain companies that serve California consumers must comply with a new data security law — the California Consumer Privacy Act (CCPA).
Enacted in 2018, CCPA establishes consumer rights relating to the access to, deletion of, and sharing of personal information collected by businesses. It took effect January 1 of this year, and companies impacted by the law were required to have data tracking systems in place by the start of 2019 (that way, California consumers would have the right to request data that companies collected about them over the past 12 months beginning January 1).
So, what is CCPA, and does it affect your business? Here are three things you need to know about CCPA.
1. CCPA Provides California Consumers with the Right to See Their Data
CCPA enables California consumers to request to see all information that a company collects about them. If a company shares California consumers' data with third parties, it must be able to provide a list of these third parties to Golden State consumers upon request. This allows California consumers to find out if CCPA guidelines were violated — regardless of whether a company suffers a data breach.
Furthermore, CCPA stipulates that companies must provide California consumers with the ability to choose not to have their data shared with third parties. This means businesses must separate California consumers' data based on end-users' privacy choices. CCPA also requires a company to provide equal service to all consumers — even if consumers choose not to share their data with third parties. At the same time, CCPA allows businesses to offer discounts, rebates, and other incentives to California consumers who choose to share their data with third parties.
2. CCPA Covers a Wide Range of Consumer Information
CCPA defines the following as "consumer information":
Personal identifiers such as an individual's first and last name, mailing address, email address, driver's license number, and Social Security number
Protected classifications defined by California or federal law
Commercial information, such as personal property records and products or services purchased, obtained, or considered
Internet or other electronic network activity, such as browsing history, search history, and information that relates to a consumer's interactions with a website, application, or advertisement
Audio, electronic, visual, thermal, olfactory, and related information
Professional and employment information
Education information, i.e. information that is not publicly available personally identifiable information (PII) as defined by the Family Educational Rights and Privacy Act
Inferences that come from any information that can be used to create a consumer profile that reflects an individual's preferences, characteristics, attitudes, etc.
Businesses that earn a minimum of $25 million in annual revenue must comply with CCPA. In addition, companies that store and manage personal data from at least 50,000 people or collect more than half of their revenues from the sale of personal data must comply with CCPA. Your business can be located anywhere in the world and still be subject to CCPA as well.
3. Companies Have a 30-Day Window to Comply with CCPA After a First Violation
If a company violates CCPA, regulators notify the business about the issue and give it 30 days to correct the problem. In the event that the CCPA violation goes unaddressed, a company receives a minimum fine of $2,500 per violation, with a maximum penalty of $7,500 per violation.
Also, California consumers can collect between $100 and $750 for each CCPA violation. CCPA provides consumers with the right to sue a company for failure to comply with the regulation, and each consumer affected by a data breach can file a lawsuit against a business that violates CCPA. Consumers can even work together to file a class-action lawsuit against a company due to non-compliance with CCPA.
The Bottom Line on CCPA
California has experienced more data breaches than any other U.S. state over the past decade, so perhaps it's easy to understand why CCPA has been put into place. Meanwhile, CCPA may appear daunting, especially if your business is affected by the law and is just finding about it now. With the right approach to cyber security, you can upgrade your security posture and comply with CCPA and other data protection requirements.
Hackers want consumer data, and they will stop at nothing to penetrate business systems. Fortunately, there are many things you can do to improve your security posture to stop cybercriminals in their tracks, such as:
Catalog network devices, find out what data is stored on these devices, and leverage configuration management, cloud-based monitoring, and other end-user protection solutions across these devices
Identify relevant cyber risks based on business systems and leverage firewalls and other network segmentation tools to protect these systems against cyber attacks
Use data exfiltration detection technologies so you can see any time consumer information moves across your network
Deploy mobile device management (MDM) tools that allow you to deactivate employee smartphones, tablets, and laptops if they are stolen or lost
Conduct phishing tests to see how employees respond to phishing attacks and teach workers how to detect these attacks and prevent them from escalating
The aforementioned tips won't stop a cyber attack, but they will protect your business against data breaches. They will also help you comply with CCPA and other data security laws — and lower your risk of penalties due to non-compliance with these mandates.
At TSP, we provide cyber security services and solutions to help businesses manage their security posture. We understand the challenges associated with cyber security, and work hand-in-hand with a business to address them. Thanks to our proven process, we empower businesses to quickly detect and address cyber attacks, stay in compliance with data security laws, and more.
Our team is happy to help a business identify cyber security gaps, deploy cyber security services and solutions, and prepare its employees for all types of cyber attacks. To learn more, please email us at firstname.lastname@example.org or call us at 617-267-9716.