By now, you’ve likely heard the acronym CCPA. If you haven’t, well then you definitely need to read on. CCPA stands for the California Consumer Privacy Act, which is a sweeping data privacy law passed in California that went into effect at the start of this year.
The bill was passed rather hastily, after only a week of legislative debate in order to force the withdrawal of a data privacy bill that would have been more onerous on businesses. It was passed into law with little or no input from the industry.
Because of this, much of the law is vague. However, if you are a for-profit business that meets any of the below three criteria, you fall under CCPA regulations:
- Have more than $25 million in gross annual revenue (this includes parent companies and subsidiaries combined)
- Collect data on more than 50,000 California consumers
- Make more than 50% of your revenue selling consumer data (i.e. data brokers)
As an example of the cloudiness of this legislation, it is unclear if the $25 million limits for annual gross revenue is met with California revenue alone or if it is met with global revenue. This issue may ultimately be settled in the courts. In the meantime, organizations must err on the side of caution and consider global revenue to be the rule. This means those organizations that have a global gross annual revenue of over $25 million, for all intents and purposes, fall under the CCPA if they do business in California. If you have a website that collects customer information, you technically are doing business in California.
The California Attorney General’s Office (who is tasked with enforcing CCPA) is not going to come breaking down your door with pitchforks and torches. Grace will likely be shown to organizations who show they are working to adhere to CCPA regulations and are taking steps to protect consumers from personal privacy violations and the unnecessary or blatant traffic and trade of their data.
The end goal of this legislation is to ensure that organizations are making strides to protect consumer information and are not profiting from their misuse. However, that doesn’t mean that your organization is not vulnerable. You need to begin to ensure you are in compliance with not only CCPA but the growing calls for increased consumer information protection worldwide.
What is Personal Information Under the CCPA?
One of the stunning aspects of the CCPA is the broad view the law takes of personal information. While most organizations are not collecting much of this information, it is helpful to understand the information that the law covers. The list is below:
- Typical personally identifiable information including name, physical address, IP address, email address, Social Security number, driver’s license number, passport number, etc.
- Any identifying personal information about a consumer’s protected status under California law including sexual orientation, gender identity, race, color, ancestry, national origin, religion, sex, medical conditions, disabilities, genetic information, marital status, military/veteran status, political affiliations, and status as a victim of assault or domestic violence
- Purchase information including records of personal property, products or services bought, obtained or considered, or other purchasing histories
- Biometric information
- Digital network activity including browsing history, search history, and information regarding a consumer’s digital interaction.
- Geolocation data
- Audio, electronic, visual, thermal, olfactory (smell) or similar information
- Professional or employment-related information
- Education information that is not publicly available
- Inferences that could help build a profile of the consumer
One of the things I find interesting about this list is that the law is, in some ways, looking out into the future and anticipating consumer information that will be collected more broadly in the future. Things like thermal and olfactory data are certainly not data most organizations would even consider collecting today. But when you consider the increased proliferation of smart wearable devices, this is data organizations may increasingly want to collect or will be collecting, on consumers.
Also, biometric data is covered. When you consider that we are more frequently using our faces as personal identifiers, this means any photographic data you have on a consumer may be covered under CCPA, if that photo could be used to identify a consumer.
What are Consumer Rights Under the CCPA?
Below is a basic look at consumer rights under the CCPA:
Disclosure: If requested, a business must divulge the personal information collected or sold, for a business purpose, about a consumer. This includes the third parties with which the business has shared consumer personal information.
Access: A business that collects a consumer’s personal information must inform the consumer as to the categories of personal information to be collected and the purposes for which it will be used.
Deletion: A business must delete the personal information it collected on a consumer and direct service providers to do so as well in response to a consumer request. This is subject to certain exceptions, such as if deleting the data would be in violation of other regulations.
Anti-discrimination: A business must not discriminate against a consumer who exercises any of the consumer’s rights under the CCPA.
Opt-Out and Website Requirements: A business that sells consumers’ personal information to third parties needs to provide notice to consumers. It must also inform the consumer that she has the right to opt-out of the sale of her personal information. A business must provide a “Do Not Sell My Personal Information” link on its website homepage which allows a consumer to “opt-out.”
What are the Penalties for Non-Compliance?
The CCPA will generally be enforced by the Attorney General. Penalties can go up to $7,500 per violation. A consumer can seek damages ranging from $100 to $750 per violation or actual damages, whichever is greater.
Ways to Prepare Your Organization for the CCPA
Below are the steps that organizations should take to get compliant with CCPA and ensure they are properly prepared for other data privacy regulations.
Update Privacy Notices and Policies
If you are currently or plan to sell consumer data to third parties, you will need to create an opt-out link on your homepage. This “Do Not Sell My Personal Information” link should enable a consumer to opt-out of the sale of the consumer’s personal information. For the majority of businesses, those not selling consumer data to third parties, this opt-out link can be ignored (although it should be made clear on your website that you do not sell consumer information to third parties).
You should make it clear the rights that California consumers have under the CCPA on your privacy page. The below consumer rights should be added to the page:
- The right to know which personal information is being collected
- The right to know if personal data is being sold or shared, and to whom
- The right to object to the sale of personal data
- The right to access one’s own personal information
- The right to equal service and price, even for consumers who exercise their privacy rights
You should also post instructions on how consumers may exercise these rights. This can be as simple as a phone number and an email (you will want to include two ways a consumer can contact you as per California law). You should make it clear that if the consumer wishes to exercise their privacy rights, they may do so by using the corresponding contact.
Review Third Party Vendor Contracts
The CCPA stipulates that businesses may use service providers and personal information with them without constituting a sale. That’s if the sharing of the information is necessary to perform a business function. For instance, if the information is necessary to fulfill an order, marketing, analytics, and similar services.
Under the CCPA, a service provider means a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract. The contract must prohibit the service provider from using the personal information for any purpose other than for the specific purpose under the contract or otherwise specified under the law.
Because of this, organizations should review their existing agreements with third-party service providers that are likely to be collecting or processing California consumer information to ensure they include the required language.
Contract provisions should address appropriate security safeguards, data breach reporting obligations, use and disclosure limitations, data retention and disposal, and the ability to assist the business in responding to a consumer rights request.
You may consider negotiating, reviewing, or renegotiating existing agreements to ensure compliance with access rights.
Prepare for Access and Deletion Requests
Your organization should begin preparing now for access and deletion requests from consumers. It is important to have a plan in place in the case that an individual consumer does reach out and ask for either access for the data you have stored on them or requests you to delete the data you have stored on them.
Remember that a business will need to disclose, in response to a verifiable consumer request, the following:
- Categories of personal information the business has collected about the consumer
- Categories of sources from which the personal information is collected
- Business or commercial purpose for collecting or selling personal information
- Categories of third parties with which the business shares personal information
- Specific pieces of personal information the business has collected about the consumer
Organizations should be able to identify and, in a digestible format, be able to disclose to any individual consumer the above data in a timely manner.
Consumers have the right that a business deletes any personal information about the consumer the business has collected. Upon request, the business must delete the information and direct any service provider that has processed that consumer’s information to do the same. That unless, essentially, the information is needed to conduct ongoing business or it is required to be retained under the law.
If the data your organization collects is primarily used to fill a legitimate business function that has been requested by the consumer, the idea that you will receive a flood of deletion requests is probably pretty low. Yet, it is in the interest of the organization to consider and plan for fulfilling a deletion request if one is presented. The only reasonable way to fulfill such a request will be to know some key information about your data. This key information can really only be discovered by data mapping.
Map Your Data
A critical component to adhering to data privacy regulations now and in the future is to know the following about any consumer data that you possess:
- What data are you collecting?
- Where is it stored (at rest) and how is it shared (in transit)?
- Do you have proper consent to possess the data?
- How is it secured, and can you prove it is secure?
- How critical is the data?
- What are you sharing?
- Who are you sharing it with?
Data mapping will help you to answer the above questions. It will help you discover where data is being stored, who has access to it, how it is being processed, and where is it resting if it needs to be deleted. It will document all of the data collection channels that you utilize.
This is done through a series of comprehensive interviews with key stakeholders and an audit of your network. The deliverable is a blueprint. This blueprint will offer an organization a complete look at the data it has, where it is stored, how it moves in transit, who has access to it, and how secure it is.
This is a service that Future Point of View has provided to many different organizations in a variety of industries.
One of the ways you can ensure that you are safeguarding data in a maximum way is data segmentation. To segment your data, first you must rank your data based on criticality. For instance, consumer personal information would be of high criticality. So would important intellectual property. This is the type of data that will require extra scrutiny and security.
After ranking data based on criticality, you will then be able to segment your data. High criticality data should be separated from low criticality data. Therefore, you will be able to provide extra security to this highly critical data while not bogging down access to low criticality data that may be accessed by a wide variety of people often.
It is important to practice least privilege. This means that people should only have access to the data they require to complete their jobs. Least privilege will help keep critical data in a secure silo, so it’s less likely to leak out into places you wouldn’t want it to.
Complete an Application and Data Security Assessment
An application and data security assessment will help you to identify risk exposure specifically within applications and data. It will help you understand any vulnerabilities when it comes to internal and third-party vendor applications that hold critical consumer information. The following are some of the things that are completed during this assessment:
- Identify security controls around data storage; identify if data is moved from higher security control to lower security control area
- Application testing run in various modes, unauthenticated and authenticated, using manual and automated testing. This includes testing access controls (privilege escalation, profile hopping), authentication mechanisms for multiple user levels, session management (session variable strength, timeouts, cookie usage), server-side and client-side input validation (overflows, injection flaw, cross-site scripting), and encryption
- Analyze logging capabilities of applications (error generation, the verbosity of error messages, debugging)
Develop a Data Retention Policy
After understanding what data you have and how that data is secured, it is worth considering if you really need the data. If the data is unnecessary for a business function, it may be worth expunging it. In the past, vacuuming up as much data as possible was the norm. This, of course, was before the enormous mega-breaches of the past decade which jilted consumers and drove regulators into action.
You may want to consider developing a data retention policy, if you have not done so. This will be guidelines regarding how long important information should remain accessible, when it is no longer needed, and when it should be destroyed. The schedule will be based on data type, ownership, business value, and regulatory compliance mandates.
It could be prudent to weigh the business value of the data alongside the risk (whether financial or reputational) the organization would face if that data were leaked. Data retention is no longer just about space, it is more about what would happen if that data were to fall in the wrong hands. If the risks of it being lost or leaked outweigh its reward to the organization, then the data should be destroyed (barring any legal or regulatory compliance needs).
Develop a Data Breach Plan
A requirement of the European Union’s General Data Protection Regulation (GDPR) is that organizations have 72 hours to report a data breach to regulators. Therefore, speed is critical when a data breach is discovered. Not only speed but how one handles a data breach notification is of the utmost importance. Consider Marriott. When a data breach was discovered inside the network of the Starwood reservation system, whom Marriott had recently acquired, Marriott was roundly criticized for sending out a notification email to customers under the rather spammy domain “email-marriott.com.” It was pointed out that such a domain could be easily spoofed. This is just one example of how a bungled data breach notification can make a terrible situation worse.
It is important to prepare for the event that a data breach does occur. To do so, one must develop a data breach notification plan or playbook. This plan or playbook will lay out exactly what everyone is responsible for in the case of a data breach and how they should react. This would include HR, public relations, legal, marketing, IT, and leadership. All facets of the organizations will be involved in response to a data breach. A data breach response plan will equip everyone with the tools so that in the event a data breach does occur, each department and each team member know exactly her role and what she is responsible for.
The development of this plan or playbook can be followed up by tabletop exercises. In these exercises, team members will be presented with a scenario (a data breach) and will be tasked with responding based on the plan or playbook that was created. These exercises are designed to both test team members to ensure they understand how to respond as well as to test the plan to ensure that there are no gaps or weak areas in the plan that need to be altered or improved.
We have helped organizations both design data breach playbooks as well as facilitated tabletop exercises for these organizations.
The CCPA seems daunting. Yet, for most, it is nothing to fear. In fact, it should act as an opportunity for your organization to continue to improve its data privacy practices and the way it protects consumer information. Consumers are beginning to hold organizations accountable for the way they handle personal information. They are less likely to do business with a company or business they feel will not properly safeguard their information. Therefore, you need to begin treating data privacy as a business asset.
While legislation such as CCPA and other regulations can seem like a nuisance, they should be seen as an opportunity to serve your customers more effectively. The pendulum of privacy is swinging in favor of the consumer and that is likely not going to change anytime soon. Therefore, it is important for you to prepare for the new normal in data privacy. Taking the steps laid out above will help your organization ready itself for the future.
Written By Corey White, Partner & SVP Intelligence at FPOV – Corey White is tasked with helping leaders look out into the future and anticipate how technology will impact their organizations and themselves. He is focused in the areas of machine intelligence, cybersecurity, and data privacy.