What You Need to Know About CCPA Compliance
Collecting and processing customer information has become an integral part of running a business in 2021. Whether you’re operating a brick-and-mortar retail store or an e-commerce business, you likely collect a plethora of personal information from customers. Also, you might engage in the buying and selling of consumer data.
This, in turn, has raised various concerns about data security and privacy. Also, it’s compelled regulatory bodies to formulate laws to protect the privacy rights of consumers. One such law is the California Consumer Privacy Act of 2018, which became enforceable from July 2019.
Non-compliance with CCPA can result in expensive lawsuits and penalties for your company. If your target consumers include California residents, it’s high time you prioritize CCPA compliance.
What is CCPA?
CCPA is a law enforced by the California state legislature that aims to safeguard the data privacy rights of California residents. It doesn’t prohibit you from collecting, sharing, or selling consumers’ personal information. However, you’re obligated to maintain complete transparency about how you store, process, and sell this data.
Consumers must have a clear idea of how and why you’re using their personal data. Also, the law mandates you to provide them with a way to place requests for accessing, changing, and/or deleting their information. You even have to provide them with simple tools to opt-out of selling their data.
Additionally, the law outlines specific regulations for buying, receiving, and selling information about minors. For consumers below the age of 13 years, you must seek consent from their parents/guardians before collecting/selling their information. For consumers aged between 13 and 16 years, you must take their permission for the same.
CCPA classifies the following types of data as personal information:
However, publicly available information, such as data collected from federal, state, or local government records, doesn’t fall under the purview of CCPA.
Who Does CCPA Apply to?
CCPA applies to businesses that cater to California residents and satisfy one of the following criteria:
- Earn a gross annual revenue of $25 million or higher.
- Collect, process, or sell information of more than 50,000 residents, households, or devices in California.
- Earn 50% or more of their annual revenue by selling California residents’ personal information.
Even if your company doesn’t meet the aforementioned criteria, it’s wiser to focus on CCPA compliance if your target consumers include California residents.
It’ll ensure that you don’t face any lawsuits or penalties as your business grows and revenue increases. Also, your business doesn’t have to be based in California (or even in the U.S.) to fall under the purview of CCPA.
Insurance companies and agents are exempted from CCPA because they’re already subject to Insurance Information and Privacy Protection Act (IIPPA). Additionally, the law doesn’t apply to non-profit organizations and government agencies.
What are the Penalties for Non-Compliance?
Non-compliance with CCPA involves a two-fold outcome. You could get sued by regulators in case of a violation. Once they notify you of the violation, you’ll have 30 days to comply with the law. Failing to do so will result in penalties of $7,500 per record.
CCPA also includes provisions for consumers to sue businesses for violation. Consumers can submit complaints to the Attorney General, who, in turn, will file a lawsuit against the corresponding business.
You’ll get a 30-day window to rectify the violations. Otherwise, you’re at risk of facing hefty penalties and class action lawsuits.
Consumers can also seek monetary compensation from a business in the event of a data breach. You’ll have to compensate them for the actual damages due to the breach or pay statutory damages of up to $750 per incident.
How ArmorPoint Supports CCPA Regulations
There are three primary areas where security tools like ArmorPoint XDR can assist businesses with meeting CCPA regulations.
To comply with CCPA, the data controller has to demonstrate that they follow the rules set out in the regulation and that they have promptly executed any data subject/consumer requests. To do this, businesses need to provide audit trails. Security tools like ArmorPoint XDR provide organizations with detailed logs so they have full visibility into their compliance with CCPA requests.
Currently, the CCPA leverages breach notification obligations that exist under the state’s general breach notification statutes.
California Civil Code s. 1798.29(a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
According to California Civil Code s. 1798.29(a), entities who discover a breach or are notified of a security breach impacting California residents, they must be able to notify impacted parties and authorities in a timely fashion and must be able to provide documentation regarding the scope of the breach to aid in the recovery.
Security tools like ArmorPoint XDR streamline the breach notification regulations by not only aiding in the discovery of breaches, but because of the alerting and case management capabilities of XDR products, organizations will have thorough audit logs of when and how the breach was discovered and what assets and data were impacted.
Maintain reasonable security procedures and practices.
According to CCPA Section 1798.100. (e), “a business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with section 1798.81.5.” If a company fails to implement reasonable security procedures and practices, they could be fined up to $750 per consumer per incident.
Security tools like ArmorPoint XDR enable businesses to implement and maintain reasonable security procedures and practices with capabilities like log management, threat intelligence, user and entity behavior analysis (UEBA), real-time event correlation, security automation and orchestration, and vulnerability management.
Not to mention, organizations can store, organize, and quickly extract network data and information to demonstrate their company’s compliance on demand – making it faster and easier to track and organize critical data points. These optimized compliance management and reporting processes allow companies to maintain compliance and audit-readiness at all times, It will also mitigate costly future violations. ArmorPoint offers subscribers an out of the box reporting library with templates contractors can use to demonstrate their compliance with CCPA standards.
If you’re business is looking to start the journey towards CCPA compliance and needs help getting started, contact us today.