What is the California Consumer Privacy Act?

The CCPA protects the personal information of consumers who are California residents. A California resident is defined as an individual who uses California residency for income tax purposes. This means that the CCPA does not protect consumers who are temporarily in the state of California. It does, however, apply to a permanent California resident who may reside temporarily out of state, such as a student attending college in another state. The protected consumer does not need to physically be in the state of California when a purchase is made — they just need to meet the requirement of being a California resident.

The term “consumer” is a bit more broad within the CCPA. According to the law, a consumer is defined as a customer of goods and services, employees and even businesses (for business-to-business transactions).

The CCPA grants consumers greater protections to their personal data. It also gives consumers the right to request deletion of their personal data (see §1798.105(a)) and to request information on how their personal data is being used.

The “right to request deletion” is similar to the GDPR’s “right to be forgotten,” but differs in that consumers have a right to make the request — not necessarily a right to deletion.

Can requests be denied?

There are reasons that a company can legally deny a request to deletion, which includes if the information is:

• Needed to complete the transaction for which it was collected
• Needed to provide goods or services requested by the consumer
• Required to perform a contract
• Used to detect security incidents and protect against malicious, fraudulent or illegal activity
• Needed to engage in scientific, historical, or statistical research in the public interest
• Used solely for internal uses that are reasonably aligned with the expectations of the consumer
• Required to comply with a legal obligation or applicable laws

Regardless of whether or not the request is accepted or denied, companies are required to:

• Provide an accessible method for consumers to send a request
• Respond with acknowledgement to requests within 10 days
• Fulfill or respond with a decision within 45 days

The parameters of timely acknowledgement and response are also required for the Right to Access Personal Information, or the “Request to Know.”

The CCPA protects all forms of personally identifiable information (PII). PII is any type of information that identifies, relates to, describes or can be reasonably linked with a particular individual. It does not include any information that is publicly available via government records.

Businesses will often collect forms of PII to process payments or personalize the consumer experience. Below are examples of commonly collected forms of PII that need to be protected per CCPA regulation:

• Names
• Postal Addresses
• Age
• Birthday
• Driver’s license number
• Credit card numbers and cardholder information
• Social security numbers
• Passport number
• Demographics
• Geolocation data
• Income
• Political or religious affiliations
• Education information
• IP address or similar digital device identifiers
• Biometric information

Businesses that meet the following conditions need to comply with the CCPA:

• Have a gross annual revenue in excess of $25 million
• Possess the personal information of 50,000 or more consumers, households, or devices
• Earn more than half of their annual revenue from selling consumers’ personal information

If your business does not meet these conditions, you may be wondering if you are exempt from the CCPA. The CCPA currently does not extend to non-profit organizations, government entities or small businesses. Outside of those specific exemptions, it is generally recommended to be privacy-forward even if you don’t meet the above conditions.

For one, if your business grows and eventually meets one of the conditions for CCPA inclusion, your organization should be prepared to quickly meet all of the regulation’s compliance requirements. It’s easier to create the proper privacy workflows earlier than try to fix vulnerabilities and risks once your business has collected vast quantities of personal consumer information.

Additionally, the CCPA is the start of data privacy regulation in the U.S., and with initiatives like the CPRA bill, more businesses may be affected by data privacy regulations — and more stringent regulations at that.

Virtually all businesses that have some sort of online presence should be taking CCPA regulation requirements under serious consideration. However, there are several business industries that are more widely affected and see the brunt of this law.

eCommerce

Since the CCPA impacts a business regardless of their location, any type of business with an online presence is much more likely to receive traffic from consumers who are California residents. Any private information that is collected from a California resident consumer, including name, purchase details and credit card information, must be protected. eCommerce businesses are one of the types of businesses most affected by the CCPA because of the consumer information they collect for marketing and checkouts.

Financial Services

Banks, credit unions, investment firms and other financial institutions deal largely in sensitive data. They collect credit card information, mailing addresses and names. If direct deposit services are set up, their banking systems also process private income information. Some financial institutions also offer mobile banking or mobile apps that use biometric data, such as fingerprint scanning, as login information.

Higher Education

Colleges and universities are data-driven in order to offer their students a better academic experience. The information they collect may be necessary for financial aid services, campus health clinics, offices of enrollment and admissions, and for use of learning management systems. Other technologies from vendors and third-party service providers that education institutions partner with must also be CCPA compliant, since sensitive information is being fed to those external systems on behalf of the education institution.

It’s important to note that industries who may collect personal data that is already covered under a federal law, like HIPAA or the GLBA. PII is outside of the CCPA scope when it is already protected under a federal law or regulation.

The CCPA became effective on January 1, 2020 and formally enforced on July 1, 2020, but that did not stop early lawsuits from being filed. On February 3rd, the first CCPA lawsuit was made against Salesforce, and others followed after.

CPRA (CCPA 2.0)

The group Californians for Consumer Privacy spearheaded the CCPA and have recently formed the California Privacy Rights Act (CPRA) ballot initiative, which passed on November 3, 2020. The CPRA is also known as the CCPA 2.0, as it includes greater protections for consumers and applies to a larger number of businesses.

Some of the key aspects of the CPRA include:

• Amendments to the CPRA must be “consistent with and further the purpose and intent of the Act,” meaning that amendments cannot be privacy restrictive in any way.
• The CPRA modifies the definition of affected businesses. The new threshold number of consumers increases from 50,000 to 100,000. It also expands the applicability to businesses to include those who generate most of their revenue from sharing PII, not just selling it.
• Create new requirements and restrictions for sensitive PII, which include disclosure requirements, opt-out requirements for use and and disclosure, opt-in consent standards for use and disclosure and purpose limitation requirements.
• Consumers have a right to request correction of their PII held by a business if that information is inaccurate
• Strengthened opt-in rights for minors by requiring business to wait 12 months before asking a minor for consent to sell or share their PII after they have declined to provide it.

Consumers are becoming more knowledgeable about how companies are using their personal information, and the fact that the CPRA passed not too long after the CCPA indicates that new developments in U.S. privacy laws may be to come in the future.

Becoming CCPA compliant can seem like a big undertaking, but it doesn’t have to be. By taking a few key steps and finding the right technologies to aid you in the process, businesses can take charge and ensure the data privacy of their customers and remain legally compliant.

1. Create clear policies

Everyone in your organization needs to be aligned when it comes to procedures and data privacy best practices. Many data privacy breaches occur from simple human error and can be prevented if your staff is trained on proper procedures. This also helps your internal security teams work more efficiently, because when everyone on your team knows who is responsible for what, there is less friction and less room for error.

2. Create the right workflows

Under the CCPA, California consumers are entitled to request deletion and request information on how their private data is being used. With the CPRA soon passing, some of those rights to requests will expand.

It’s important to make the process easy for your customers and for your security and legal teams to process. To cut down on countless hours of manual labor and stressed-out staff, it’s best to create an automated workflow for these subject rights access requests.

3. Understand and monitor your data

Many organizations think they know where all of their data lives, the types of data they collect, and who has access to that data. In reality, it’s common for organizations to discover troves of sensitive information that had been going unnoticed. Sensitive data discovery and data classification are two key components to truly getting a full view of your data. It also provides you with better context to analyze the potential risks associated with your organization’s data and what can be done to strengthen your overall data privacy and security initiatives.

Spirion helps businesses take charge of their data privacy and security goals by bundling robust sensitive data discovery, automated data classification, AI-driven workflows, and compliance tools into one powerful solution. Businesses can add an automated Subjects Rights Request processing function to the Spirion Sensitive Data Platform (SDP) to make adhering to the CCPA’s rights request requirements easy.