What you need to know about the CCPA

Written By Adam Joe

What does the CCPA mean for your business?

Official legislation from January 1st, 2020, the California Consumer Privacy Act, or CCPA, was created to provide adequate data privacy protections for all California citizens and residents.

For businesses, it presents a risk of state-administered financial penalties for non-compliance, alongside the opportunity for private legal action from those affected by such non-compliance.

With fines and penalties of significant amounts possible, any business must ensure compliance with the new legislation, but what does that mean for business operation and risk?

Does it affect my business?

Before discussing how the CCPA can impact your business, it is first essential to establish whether it applies to your business. Several privacy and data protection bills are coming online worldwide, the European Union's GDPR being perhaps the best known, and the Californian law follows a similar pattern.

If you do business in California, whether you are physically located in the state or not, and your business either has an annual gross revenue of $35 million or more, you deal with the personal information of more than 50,000 consumers or households for commercial purposes, or more than 50% of your business’ income is derived from the sale of your customer’s personal information, then the CCPA applies to you.

CCPA Scope

Knowing that the CCPA applies to your business, you need to understand the effects and requirements. Like other data privacy legislation, the focus is on providing rights to control and protect their data. The three specific elements of the CCPA are:

The Right to Access Information

Californian consumers must be able to know which categories of personal data about them have been collected or sold, including where it was sold, who it was sold to, and the reason it was sold.

The Right to Data Deletion

Californian consumers can request any company that has collected personal data about them must delete all held data.

The Right to Opt-Out of Data Collection or Sale

Californian consumers can request that a company must not collect or sell their information to third parties. Within the CCPA, 'sell' includes more than a monetary transaction and consists of a range of other transaction types too.

Managing Data

For businesses, this is the more far-reaching privacy legislation within the US and mirrors some of the stringent protections put in place by the GDPR in Europe. Compliance means putting in place several processes to monitor, control, and manage data discovery, data privacy, and overall risk.

The first aspect of data privacy that should be covered is the need to inform Californian consumers that you will collect their data before you do so. Placing prominent notices on web forms and other data entry points allows those consumers to make an informed choice. The message must be clearly visible and unambiguous, and it must include a 'do not sell my data' opt-out to comply with legislation.

A significant privacy policy must be in place, including details of the type of data collected, whether that data is shared with or sold on to third parties, how consumers can request to have their data deleted, and how to opt-out of their data being sold. It must also ensure non-discrimination for privacy preferences.

Dealing with the Risk

However, it will be data handling itself for most businesses where the risk of compliance failure is most likely. The need to maintain data privacy is crucial. While there are different processes for handling consumer requests and other technical aspects of the legislation, the most considerable penalties apply to security breaches. As such, data protection is at the core of any response to CCPA. There are two transparent processes to achieve this.

Data Discovery

A critical aspect of the data handling process essential for CCPA compliance is data discovery, as sensitive data mustn't be left unprotected in any part of the business process. Classification takes this further, and it ensures that all applicable data can be dealt with as required by the legislation.

Data Masking

An effective data masking solution protects sensitive data to ensure it is only visible to those who need to see it. With stored personal information, this is the best approach to safeguard against CCPA breaches through malicious actions.

However, few businesses have in-house solutions to cover these data handling processes. Instead of the expense of developing internal systems, our turnkey solutions offer the necessary tools to maintain CCPA compliance in a user-friendly and cost-effective way. Using AI-driven operation, our data discovery algorithms provide peace of mind by ensuring that all relevant data is classified and protected as needed.

Similarly, our data masking solution integrates seamlessly into your systems, delivering the necessary data privacy protection required, and ensuring you remain CCPA compliant without the expensive outlay of bespoke solutions.

See how Apption's Datahunter can help discover, monitor risk, and protect unstructured data.

Adam Joe
Previous

Data Quality - The Cost of Poor Data Quality
Next

AI Readiness - Missing this step could cost you