What started with Europe’s GDPR has led to the birth of data privacy regulations around the world, one of the major ones being the California Consumer Protection Act (CCPA). California is the leading state in the United States and represents 14.3% (2.7 Trillion) of the entire US economy. Had it been a country, it would have been the 5th largest economy in the world, even beating the UK. Hence, businesses cannot overlook such a massive marketplace, and compliance becomes a necessity.
The CCPA was signed into law in June 2018 and went into effect this year on January 1st 2020. Much like the GDPR, it empowers consumers with a long list of privacy rights and is set to dramatically change the way American businesses use data.
Who does the CCPA apply to?
The CCPA applies to any business that controls or is controlled by an entity that collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:
- The entity has annual gross revenue that is US $25M or more
- The entity buys, receives, sells or shares the information, either directly or indirectly, of 50,000 or more California residents, devices or households
- The entity generates 50% or more of the annual revenue by selling the personal information of California residents
How does the CCPA impact consumers?
With the introduction of the CCPA, consumers now have new rights regarding their data:
- They have a right to know what personal information is being collected about them, how that information will be used, and if and with whom it will be shared. This enables them to decide whether they want businesses to have their data or not.
- Should they decide they don’t like the data that’s been collected, they may choose to opt out of the sale of their data to third parties by exercising their right to control who has access to their information.
- The consumer can also request that their data be deleted. In this case, the business must delete all information pertaining to that consumer. However, there are exceptions to this;
- if the data is being retained and processed to for a specific research purpose,
- to complete a transaction requested by a consumer,
- for limited analytical uses or other regulatory and contractual purposes,
the business need not follow through with the consumer request for the right to be forgotten.
- Should there be a data breach, consumers have the right to seek damages by suing the business responsible for the leak of their data.
- Additionally, the act provides further protection for minors(aged under 16) wherein their data cannot be collected at all unless they choose to opt-in.
- Consumers also have the right to non-discrimination, where a business cannot discriminate against a consumer because they have exercised any of the rights provided by the CCPA. However, the business may offer financial incentives to the consumer for the collection, sale or deletion of personal information. In this case, the business must disclose this information on their website and enroll customers only if they choose to opt-in to their incentive program.
- Overall, these rights promote data transparency, ensuring that businesses are frank about the data being collected and the purpose for which it is being used.
How does the CCPA impact businesses?
To fulfill these consumer requests, businesses need to re look at the way they handle data and implement measures for quick and efficient response. Anywhere that personal data is being collected, businesses are obligated to disclose the following to their customers:
- what their rights are under the CCPA,
- what categories of information they’re collecting,
- how the information they collect will be used,
- if and with whom it will be shared with, and
- what categories of information have been shared with third parties in the previous year.
Whom does the CCPA benefit?
There are various rights under the CCPA which present consumers with a slew of benefits. So, in hindsight, it may seem like the CCPA, and any other data protection regulation for that matter is built to singularly protect consumers and not its counterpart, which, if we think about, isn’t true. An evident benefit that CCPA brings to businesses is the competitive advantage that compliance brings. In today’s world, data protection and having a robust data security posture is fast becoming a differentiation factor among businesses. As consumers’ awareness of their data increases, it’s only natural that they gravitate towards businesses that are well equipped for privacy protection.
Moreover, data privacy is becoming more and more critical. Other states in the US are coming up with their laws similar in nature to the CCPA. Even though businesses may find it expensive to be CCPA-compliant now, the money spent will be relevant for years to come due to the introduction of new regulations. Upon close inspection, we can see that the CCPA brings multiple benefits to the businesses that it affects.
Penalties for non-compliance
Under Section 1798.155(a) of Title 1.81.5 of the CCPA, action can be taken against any business or individual violating the act. For non-compliance, the penalties are $2500 for an unintentional violation and $7500 for an intentional violation. For example, if a breach impacts the data of 10,000 individuals, under the CCPA, the entity responsible for the breach can be fined $25 million for an unintentional violation and up to $75 million for an intentional violation. The act, however, does not place any cap on the total amount of fines. Businesses are given a 30-day window to remedy the violations before a fine is decided upon.
The CCPA also allows for private action, wherein if personal information is exposed in a breach, consumers can sue for $100 to $750 per incident, or greater if the actual damages exceed $750. This course of action applies only if the consumer’s sensitive information is subject to theft, disclosure or unauthorized access as a result of a business’ failure to implement the required security measures. It does not apply if the information had been redacted or encrypted.
Gartner’s Categorization of the CCPA Subject Rights Requests (SRR): Deliver Business Value with a User-Centric SRR Fulfillment Program1
Gartner, Inc. | G00376083
SRRs cover a defined set of rights where individuals have the power to make requests regarding their data, and where businesses handling this data must address these requests in a defined time frame (45 days in the case of the CCPA).
Whereas many businesses may be focusing on the fines or the litigation, subject rights requests left unmanaged have the potential of becoming “death by a thousand cuts” and costing the business millions of dollars on an ongoing basis. By 2021, 80% of the negative financial impact of the CCPA will come from failure to implement a scalable subject rights workflow, as opposed to regulatory fines and litigation.
Although the CCPA mainly impacts businesses processing personal data pertaining to California residents, the state’s standing as the largest both in terms of population and economy puts the CCPA in a strong position to influence how businesses manage personal data across the United States.
Much like “organic” foods or “cruelty-free” cosmetics, “privacy-preserving” capabilities are conviction-based motivators. Your customers are increasingly inclined to cross the road to the competition, and in some cases pay a premium, if that is where they believe their personal data will be best handled.
So, gain clear differentiation in customer experience by delivering scalable rights to data subjects. This is an approach that incentivizes the business to be transparent and trustworthy and ensures that customers have control over the use and sharing of their data. Together, this enhances not only data value but enterprise and brand value as well.
When taking on the CCPA, or any new privacy regulation, businesses often start by conducting a discovery exercise to identify where the personal data in scope is located and how it is used. This prioritizes a binary approach based on task completion — are we compliant? — rather than a measurement driven approach — how compliant are we?
Unlike the breadth covered through the GDPR, the CCPA focuses on extending certain rights to individuals. Measurement is driven by the business's capacity to fulfill these subject rights requests (see Figure).
SRRs come in three categories:
- Right to know (but not always) – Informative: Rights focused on providing individuals with access to their data. This class of requests includes the most commonly sought SRRs, typically known as subject access requests (SARs or data SARs [DSARs]), where individuals seek to view what data the business holds on them.
- Right to correct (but only sometimes) – Corrective: Rights focused on allowing individuals to manipulate their data or their preferences. At the extreme, corrective rights allowindividuals to delete their records.
- Right to object (to certain uses/sharing) – Restrictive: Rights focused on allowing individuals to control how their data is processed. Under the CCPA, individuals have the capacity to object to the sale of their data to a third party.
There are two approaches through which businesses can deliver subject rights, either the traditional model or the self-service model.
A traditional fulfillment model involves a predominantly manual approach. The request may be captured through a ticketing system for case management; however, the process of compiling (in the case of access) or purging (in the case of erasure) is manual, whereas a self-service model provides customers with a portal where they can self-serve popular SARs (initially), or all, rights under CCPA. The process automates verification, case management and fulfillment allowing intervention from the privacy team if and when needed.
Thus, SRM leaders tasked with delivering subject rights have two options:
- Take the traditional approach with lower capital expenditure upfront and higher operating expenditure.
- Choose the self-service approach, which demands a much higher capital expenditure but a lower operating expenditure.
Why should you pay attention to SRRs, and more importantly, through the self-service model? 1
Gartner, Inc. | G00376083
It’s like asking, why would strategic resource management leaders divert valuable resources to address what some consider yet another regulation with yet another form to fill?
For instance, Microsoft demonstrated the potential for CCPA subject rights impact when it launched its global privacy self-service portal with the advent of the GDPR. In the first year, it received 18 million requests, 2 where 6.7M (37%) came from the U.S. The CCPA will only serve to educate more consumers of their rights.
Had Microsoft instead handled the process manually, an approach taken by many businesses — at say even the unrealistically low cost of $100 per request — the financial outlay would have totaled $670 million in the U.S. alone.
Ultimately, the traditional approach is a sunk cost, while the self-service model can be leveraged to demonstrate to users the business’s transparency and how it endeavors to place control back in the hands of individuals regarding their personal data.
We have seen how achieving compliance is not an easy task, mainly due to the fact that regulations are multidimensional, and there are many facets that are involved while trying to show compliance. CCPA is no different. While consent and preference management is the cornerstone to achieving compliance with CCPA, businesses tend to forget the core ideology of all these regulations – data security. Protecting the online identities of users and ensuring a safe haven for digital transactions has gained paramount importance in today’s world. This is why, while consent management may be important in establishing a secure privacy framework, it alone does not help you get across the line. A robust data security policy, which enables a business to thoroughly scan and isolate the presence of all sensitive data they possess and then go on to secure them using anonymization and pseudonymization mechanisms is equally, if not more important.
MENTIS helps businesses in their CCPA compliance initiatives through our market-leading and patented sensitive data discovery mechanism, along with downstream data protection mechanisms like anonymization, monitoring, and retirement, all in a single integrated platform. Read more here.
MENTIS data and application security platform is a single integrated platform that protects sensitive data across its lifecycle, with modules for sensitive data discovery, static and dynamic data anonymization, data monitoring, and data minimization. The built-in separation of duties and flexible architecture accommodate the complexities of enterprise application security with ease.
We help businesses in their CCPA compliance initiatives through our market-leading and patented sensitive data discovery mechanism, along with downstream data protection mechanisms like anonymization, monitoring, and retirement, all in a single integrated platform.
We have successfully implemented our solution in large enterprises like a global conglomerate, one of the top Swiss banks, and Ivy League universities.
1 Gartner: How to Prepare for the CCPA and Navigate Consumer Privacy Rights
Published: 12 June 2019, ID: G00376083
Analyst(s): Nader Henein, Lydia Clougherty Jones
2 “GDPR’s First Anniversary: A Year of Progress in Privacy Protection,” Microsoft Blog