The California Consumer Privacy Act passed in 2018. It is a state statute that provides protections for residents of California, designed to give Californian consumers control over their online data and personal information.
CCPA gives consumers data protections including:
The right to know about the personal information that businesses collect.
The right to delete personal information that has been collected.
The right to opt out of the sale of their personal information.
The right to non-discrimination for exercising their CCPA rights.
Who Needs to Care About CCPA Compliance
CCPA is California law only but it applies to any organization conducting business in California or collecting data on Californian users. The protections only apply to California residents, but it applies even when they’re temporarily outside of the state.
CCPA applies to:
- For-profit businesses conducting business in California that gross over $25 million in annual revenue.
- Businesses that buy, receive or sell the personal information of 50,000 or more California residents, households or devices
- Businesses that derive 50% or more of their annual revenue from selling California residents’ personal information.
California is the most populous state in the US and home of Silicon Valley, so in lieu of federal regulations governing data protections for American consumers, CCPA has set the standard, and obligation, for how companies across the US collect, store, sell and treat personal data.
Under CCPA, businesses can be sued if “nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it.”
The Benefits of CCPA
CCPA doesn’t automatically establish a secure digital environment; it is a roadmap to a more secure internet. It establishes a precedent for what kind of data we, as consumers, should expect to be protected. It also shows what kind of requirements businesses should expect to comply with if they want to protect user data and paves the way for future regulation.
CCPA has brought greater awareness of how websites collect, manage and sell data. It has made it so that businesses are in a position where they should disclose how they deal with consumer data. Although there is no obligation for all websites to strictly tighten their data security and CCPA is, for the most part, dependent on the outcome of courts, it relies on class action lawsuits to bring a conclusion to cases. The liability of not complying might be enough to bring improvements to general data security.
Drawbacks of CCPA
Whilst the CCPA is the first major step taken in the United States to improve data protections for consumers, it is not without flaws. There are issues with the CCPA in both scope and how it is written.
No obligation to maintain data security
There is no requirement to implement and maintain a strong data security practice. CCPA really only entitles consumers to statutory damages if they have been subject to a data breach. There is no obligation to maintain security practices other than failure to provide sufficient safety practices would, in the result of a breach, make you liable for statutory damages to consumers if it is proven in court.
Cases are brought through the court system whereby consumers can sue businesses. This might be a barrier to entry for a lot of consumers, especially consumers weary about dealing with the court system.
A “cure” clause that favors businesses
Under the CCPA’s 30 day “cure” provision, consumers must provide a written notice of the specific issue before starting any legal action against a business: “If the business cures the noticed violation and provides the consumer a written statement indicating such, statutory damages are not available.”
How CCPA defines consumers
Whilst GDPR applies to any data subject in the EU at the time of collection or processing regardless of nationality, the CCPA defines consumer as being a California resident, even if out of state temporarily. Only protecting Californian consumers leaves a large swath of the country unprotected.
How CCPA defines data controllers
CCPA applies to businesses that trade in the data of more than 50,000 Californians annually or have a revenue of over $25 million, or businesses that derive more than 50% of their annual revenue from the sale of personal information; GDPR applies to all websites, companies and organizations in the world (data controllers) if they offer goods or services to people within the EU.
Supervising authorities: limited investigatory powers
CCPA violations, and non-compliance, are assessed by the Attorney General of California. Only the Californian AG has the authority to investigate CCPA violations, and consumers can only start litigation in the case they are involved in a breach – and that just initiates court proceedings.
How to Achieve CCPA Compliance
For businesses, you should ensure your website includes information about the type of data you are collecting on your users, allow users to opt-out of the sale of this information, and you should be able to delete personal information when a consumer request is made.
Audit the data you are collecting
Understand how the law affects you. Know what kind of consumer data you are collecting. It’s not just PII but also web tracking data that is implicated in the law.
Your biggest liability might not even come from inside your own organization but with the third-party vendors you use as a web service or plug-in providers.
Map consumer data
As of January 1, 2020, California consumers can enquire about how you collect their data and what you do with it; you should be able to answer those questions. Make it easy for your team to find data by making it indexable and searchable. Begin mapping the data you uncovered in your audit by asking:
- What data do you collect?
- Where do you store it?
- Who is responsible for the data?
- How do you collect the data?
- Who do you share the data with?
- Do you sell the data?
Implement privacy disclosures
Make your policies clear and keep them updated, and allow your users the opportunity to opt out. You should even consider adding a “do not sell my data” button to your website that allows review of your policies and the option to opt out of certain data practices.
Develop processes for information requests
You could be required to provide copies of consumer data, delete the data at their request, explain the data you collect or opt out consumers from having their data collected. Covered entities might be asked by a consumer:
- For a copy of their personal information
- That their personal information be deleted
- What categories of their personal information are being sold
- To opt out of the sale of personal information for those over 16 years old
- To opt in for the sale of personal information for those between the age of 13 and 16
- To obtain consent from a guardian to sell personal information from a consumer under 13 years old
Address privacy at every level
Keep your software and systems updated and secure. That means having strong passwords and malware protection, as well as addressing human risk. Train your team so that they understand the law, how it applies to them and how they might play a role in your data protection.
Take a risk-based approach
Protect your business by taking initiative with your data security practices and involving data security experts, alongside members of your team, at every level of your organization. Risk exists at every level. Gather insights and input from everyone in your organization and, as a team, identify your biggest risks and prioritize their fixes.
Businesses cannot be sued for CCPA violations unless there is a data breach. In specific instances, consumers are entitled to damages. A business is not liable if it “cures” any noncompliance within 30 days after being notified of alleged noncompliance (though some instances might not be capable of a “cure”).
Statutory damages that an individual can receive range from $100 to $750 per incident or can be for the total amount of monetary damages actually suffered as a result of the data breach. Courts can also decide tougher penalties depending on the severity of the breach. Considering that a typical data breach might affect hundreds of thousands of consumers, those costs can add up – but consumers have to go through litigation before fines are enforced.
As well as individual damages due to consumers, businesses may face civil penalties in the case of breach and violation of CCPA. These penalties can range from “$2,500 for a non-intentional violation to $7,500 for an intentional violation.”
Our Thoughts On CCPA
In early 2021, it was revealed that hackers from China have been attempting to steal biometric data and personally identifying information of more than 80% of Americans. In some instances, they have been successful. There is not just a business imperative to tighten the security of consumer data, but a national security imperative exists, too. Unfortunately, states cannot be trusted to enforce data protections equally and concurrently.
In 2019, after a spreadsheet with the names of 4,457 individuals along with their Social Security numbers, telephone numbers and email addresses was inadvertently published by the labor department in Georgia, The Supreme Court of the state of Georgia ruled that it had “no inherent obligation to protect citizens’ personal information that it stores.” The ruling reiterated that those entrusted with sensitive data, the data collectors, had no obligation to secure that information, and that’s a problem.
Absent federal regulations, CCPA tries to fill a void that desperately needs to be filled. It establishes data security standards for businesses to implement and protections that consumers should expect. Yet, there are large gaps in who is protected and which businesses are liable, which leaves too much ambiguity and leeway to be an effective deterrent or to encourage compliance.
CCPA ≠ GDPR
CCPA is often mentioned in the same breath as GDPR, but it isn’t close to having the scope or impact and falls short of GDPR.
Without the sweeping powers to audit, investigate or enforce compliance with data security standards as with the GDPR, CCPA remains a deterrent purely because data security becomes a liability rather than something actively investigated and enforced.
Unlike GDPR, the CCPA has not been as effective in communicating what is required of companies and how cases are being handled. Although not all data about GDPR fines have been made public, there is more information available in regards to compliance requirements and non-compliance penalties. There is even an independent website devoted to tracking GDPR enforcement, and it has been interesting to follow along as each member nation enforces GDPR compliance.
GDPR has issued hundreds of penalties in the last few years, including an £18.4 million fine to Marriott for a 2018 data breach for the “insufficient technical and organizational measures to ensure information security.” CCPA has not had the same publicity surrounding its enforcement or repercussions. Without the newsworthy penalties or cases, CCPA might not be enough of a deterrent to fix the issue of data insecurity in the United States.
If the consequences aren’t high enough, and enforcement of the law isn’t consistent, swift and effective, CCPA might not be dissuasive enough for companies to take the issue of data security seriously.
We are not lawyers; we cannot help you audit and achieve compliance in cybersecurity, but we can build a kick-ass website that will meet CCPA requirements, and we can work alongside your data management team to create a digital environment that will build consumer confidence in your brand and meet your business goals.
If data privacy regulations have you concerned about your website and compliance, read our guide to GDPR to level-up on your data security regulation knowledge, or reach out, and let’s have a conversation.