The California Consumer Privacy Act (CCPA) that goes into effect January 1 2020 is a big deal for companies that retain data on California individuals. CCPA creates new consumer rights and business compliance responsibilities. The privacy rights are intended to provide individuals with transparency, access, choice and ensure they are not be discriminated against for exercising their rights. However, the headline is CCPA is a big deal, because unlike the General Data Privacy Regulations (GDPR) for the EU, whose penalties are capped at the larger of 4% of revenues and EUR 20 million, CCPA is uncapped.
Without proper preparation, CCPA is a serious risk for businesses having personal information (PI) for any CA individuals and >50,000 individuals or households, or who generate revenue greater than $25 million or derive at least 50 percent of annual revenue by selling California residents’ personal information.
Penalties for noncompliance are $2,500 per record for each unintentional violation and $7,500 per record for each intentional violation. To better understand, consider a breach of a 20,000 California prospect list can lead to a noncompliance fine ranging from $50,000,000 -$150,000,000 without proving actual damages to the consumers.
Breaches and disclosures could lead to “group action suits” since consumers will have the ability under CCPA to obtain relief in the form of either actual damages or statutory damages between $100 and $750 per violation, whichever is greater. That same 20,000 California prospect list breach example can also lead to a suit ranging from $2,000,000 -$15,000,000 without proving actual damages to the consumers.
Remember, in 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights. The amendment established a legal and enforceable right of privacy for every Californian, and fundamental to this right is the ability of individuals to control the use, including the sale, of their personal information.
Passed on June 29, 2018 CCPA gives teeth to California’s commitment to privacy. Although it will go into effect on January 1, 2020, it’s enforcement will be deferred until July 1, 2020. However, the look back provision goes back a year.
First, the new consumer privacy rights:
- Right to request information if a business either collects personal information (PI) about consumers or sells or discloses PI about consumers.
- Businesses must disclose and deliver the required information within 45 days of receipt of a verifiable consumer request.
- Right to opt-out of the sale of personal information – If a consumer exercises their right to opt-out of the sale of their PI, the business is prohibited from selling that consumer’s personal information and must wait 12 months minimum from the date the consumer opted-out before it can request the consumer to authorize the sale
- Right of deletion – The business must delete from its records a consumer’s PI after receiving a verifiable consumer request to do so and it must have the contractual agreements to require service providers it has shared PI with to do the same.
- Right to be informed that personal information is being disclosed or sold
- Right to look back – when a consumer makes a verifiable request for access to their personal information, organizations are required to provide records covering the 12-month period preceding the date of the request. This means that your organization should at least be planning how they will establish accurate records of consumers’ personal information starting from January 1, 2019.
- Right to equal service and price even if a consumer exercises their privacy rights
Note that the definition of PI under CCPA is expanded. It includes: account names, addresses, aliases, biometric data, commercial information, educational information, emails, geolocation, IDs, IP addresses, media information, medical information, names, passport details, phone numbers, PINs, social security numbers or other information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer, household or device.
If your organization is already compliant with the General Data Privacy Regulations (GDPR) for the EU, you already have a set of practices, tools and policies to support data service access requests (DSARs) at scale. These will need to be expanded to incorporate the variances between the two regulations. Among the differences, CCPA is more customer than individual focused, requests can cover a wider range of information and the categories of the data.
For those new to supporting requests, you will need to be able to validate the source and authority of that request, understand your data flows across the organization, categories of data you use, what you use it for, 3rd party organizations you may have shared or sold it to, what categories they received, and the use of each category. Organizations must be ready to report on, modify or delete it (including the 3rd party organizations). Organizations will need to respond to tens or hundreds of thousands of simultaneous customer requests that need to be processed within 45 days.
The good news is there is a rich set of tools and models for operationalizing these rights which we will present in a later post.
Although the fines are potentially greater than GDPR’s, with enough understanding and preparation, most of the risks of CCPA can be mitigated economically.
Ensuring that data is encrypted or sufficiently redacted everywhere and that keys and IDs are properly managed would keep private data from being exposed even under unauthorized access.
A cause of legal action under CCPA will probably require establishing: (1) the data is unencrypted or nonredacted; (2) the data is subject to an unauthorized access and exfiltration, theft, or disclosure; and (3) that (2) is a result of a failure to implement reasonable security procedures and practices.
Although what is reasonable security and what practices are appropriate is not yet clearly defined or clarified by the CCPA, a prudent approach would be to perform the appropriate threat and gap analysis, then implement appropriate controls to create a complete set of generally accepted security and privacy practices. Although you can’t guarantee a breach will not occur, you can reduce the likelihood, and increase the likelihood of quick and substantial mitigation.
In addition, CCPA provides 30 days after written notification to “cure” a violation. Note that at this time it appears a claim for statutory damages cannot move forward if a business has “cured” its violation. So “curing” is important even if it is not clearly defined. However, most security professionals would agree that once a breach of data occurs, it is not possible to provide a cure, other than to take enough measures to prevent it from happening again.
A quick example, can provide clarification. One might ask, if you had a breach due to exfiltration of data due to a phishing attack, is changing the passwords a “cure”? Probably not. Data encryption and two-factor authentication can be considered more of a cure if you also automatically enforce strong password changes monthly. We would also recommend such defensive strategies as endpoint security (signature, model, and behavioral based on “AI”), data loss prevention and analytical behavioral monitoring to catch and block suspicious exfiltration as well as safeguard ports etc. Obviously, you need all the appropriate controls. Reality aligns with position, breaches are less likely and more mitigated as it becomes easier to argue the organization has taken those prudent actions needed to both block and reduce the impact of a future occurrence.
Organizations will also need new security strategies, new policies, procedures, disclosures and agreements to enforce 3rd party responsibilities also required for compliance. This will also be covered in a follow-up post.
If you want more information about CCPA or how to prepare for CCPA, or if you are looking for help please leave a comment or contact us by email.
Categories: Privacy, CCPA, Risk Management