What is CCPA: How Businesses Can Be Held Accountable
California has a range of new legislation that is going into effect in 2020 that can radically shake up “business as usual” for your company, regardless of the size. The California Consumer Privacy Act is a robust, comprehensive Data Security and Privacy law that was ratified in 2018 and goes into effect on January 1, 2020. More specifically, as noted by Wikipedia, “the Bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg. The law intends to further protect California residents who do business with companies in the state, by enhancing their privacy rights, and ensuring that their PII (Personally-Identifying Information) is protected. Additionally, Californians are granted more control over their personal data - giving the average citizen an easier route to class-action lawsuits if their data is breached/stolen and the business does not comply with the law. Companies that do not comply with the new legislation can be fined and prosecuted by the Attorney General’s office.
Former federal laws, such as the PCI-DSS law, which pertains more to customer financial information, works in conjunction with the California Privacy Bill, which encompasses all types of customer PII that it means to protect. It is essential for business to take notice and adjust how they operate, since - in this age of Big Data - personal, identifying information is often collected, bought, sold, shared, and transferred to other businesses for a variety of purposes, often without the consent of the individual.
There have been several examples of businesses utilizing the personal data of consumers without their consent, for monetary gain, which this new Bill would change:
- Data Brokers: Data brokers are companies that intentionally - and usually legally - harvest personal (but publicly available) data of individuals to sell to companies.
- Cambridge Analytica Fiasco: Data harvesters associated with Cambridge Analytica had been harvesting data from millions of Facebook profiles to use in political ads, resulting in a scandal in 2018.
- Google/Facebook: Much of the way Google/Facebook and other social media platforms obtain their monetization is via targeted ads and the selling of consumer’s personal information.
As noted by Wired, according to the Interactive Advertising Bureau, companies in 2018 spent upwards of $19 billion obtaining, parsing, and analyzing customer data, which is often resold to companies without the user’s consent. How businesses carry out these activities - which are often very profitable - must be altered according to the new law, at the risk of being fined if due diligence is not carried out to comply.
With the inception of this new Bill, businesses who operate in California must ask themselves if they can afford to continue doing business in the State? Complying with the new law will require actions that may be costly, and not complying can result in massive financial penalties.
What is CCPA?
The California Consumer Privacy Act (CCPA) - also known as AB 375 - is a Bill that was quickly passed in June 2018 to replace a ballot initiative associated with customer privacy legislation and that went through several amendments before it came into effect on January 1, 2020. The Bill is primarily focused on protecting consumer’s privacy by giving them more freedom on what information they provide to companies, and how those businesses use the information, which is usually classified as PII. Companies must comply with several statutes which allow customers greater privacy on how their PII is handled. Including all companies with a presence in California or who, in some way, deal with California residents (thus, they need not physically be a California company or even a U.S.-based company). Along the way to being fully enacted, the Bill was amended due to many ambiguous passages and errors, including an amendment bill, SB 1121, which was signed by Governor Brown on September 23, 2018.
While the law is a state California bill, the State is unique and influential within the continental United States. California is not only home to three of the ten largest cities in America, but its economy is $2.7 trillion and is also home to 10 percent of all Fortune 1000 companies. This law is significant in how it shapes the way such a massive ecosystem of companies operate, from a financial, administrative, legal, and managerial standpoint. Many other states may also adopt a modified version of the law, which has happened before when California has enacted a unique state law that others later adopted, even up to the federal level.
The Right to Access Information
The CCPA is a bill that gives customers and consumers greater access, control, and freedoms over their personal information, including PII data that can identify them or their household. One such right is the right to access information, which means that consumers will be given the ability to know (request) who is accessing their information, why they are accessing/collecting it, and what type of information was collected or sold. When companies access such information and transfer that data to other parties, consumers can request from whom the data was collected, with whom the data is being shared, and to whom the information was sold. Importantly, when consumers make these requests, it is also required for businesses to supply answers in an easy-to-understand format.
The Right to Deletion
Consumers also have the right to request companies who have collected data associated with their PII to delete such data from their databases and data warehouses, enabling the consumer to control who has access to their data and who doesn’t.
The Right to Opt-Out
When companies collect the personal data of a consumer, said consumer now has the right to request that the business no longer collect their personal information for the sole purpose of sharing it with others. Along with the “right to deletion,” a consumer has complete control over their personal data, who has access to it, and who can retain and share that data.
What Types of Data Does CCPA Encompass?
CCPA focuses on the protection and control of consumer PII and dictates that companies who do not comply by protecting such data - or who unlawfully collect and sell such data - can be penalized.
It is crucial to know the types of data that CCPA applies to, which can apply to an individual or household, and with any unique, identifying information that can be used to identify a person/household:
- Identifiers: Name, Address, IP Address, Email Address, Account Names, SSN/Driver’s License Number, Passport Number, Biometric Information, Browsing History, Geolocation Information, etc.
- Commercial information: Personal Property, Products or Services purchased, E-commerce purchase history, etc.
- Professional and Educational Information: Professional or employment history/information, Educational history/information, etc.
The CCPA coverage and provisions have been likened to being a “lite” version of the General Data Protection Regulation (GDPR) law of Europe. While the laws are similar, CCPA’s coverage of PII is more broad and general, while uniquely covering educational information and history.
Who is Covered by the CCPA?
The CCPA regulation specifically covers residents/consumers in the State of California. It applies to almost all businesses that carry out their enterprise within that state, including national and even international companies. However, there are some specifics to be aware of, as noted by CSO Online:
- Companies with an annual income of over $25 million and who serve California consumers must comply with the law.
- Additionally, a provision that applies mainly to data brokers and social media platforms (among other businesses) dictates that companies of any size that earn half of their revenue by selling personal data, along with businesses that have private data on 50,000 consumers, must comply with the law.
- CSO Online also notes that “an amendment made in April exempts ‘insurance institutions, agents, and support organizations’ as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).”
It is also important to note that companies should have set up a robust data tracking system by 2019, due to the provision that consumers could request the prior 12 months of data collection processes associated with them at the time that CCPA came into effect (January 1, 2020).
How Will CCPA Regulate Data Security?
While the CCPA is mostly a data privacy bill, it also includes provisions associated with data breaches of that private information (consumer PII). Specifically, personal records, data, and information (unencrypted PII) that are breached can result in a fine of up to $750 in damages per consumer per incident, or the actual damages, whichever is greater. Thus, companies must undergo due diligence to utilize best practices (including using secure encryption) to mitigate all data breaches by optimizing their information security practices and hardening their IT infrastructure.
There are several examples of companies that have been hacked, resulting in the PII of consumers being leaked to the offender, such as the Uber data breach that had the PII of 57 million customers and drivers breached in 2016. Under this new law, the company would be responsible for hefty fines. If any customer had opted-out or requested the deletion of their PII beforehand, a class-action lawsuit and fines from the Attorney General’s Office would be in order.
How Are Companies in Violation Held Accountable?
The expansive CCPA bill includes provisions for two significant factors associated with consumer data:
- The Privacy and Control of Consumer PII
- The Security of Consumer PII/Data
Fines are a normative penalty associated with each record of unencrypted consumer PII that is leaked in a data breach, usually for $750 per consumer, per incident. Additionally, if the business intentionally violates the new privacy stipulations and provisions, and the Attorney General decides to prosecute the privacy violations, they can be fined $7500 per intentional violation, or $2500 per violation if each violation is not “cured” within 30 days. Even if the AG’s office does not prosecute, consumers can sue.
As a new provision, consumers can sue companies via a class-action lawsuit if the company violates their privacy rights which includes several scenarios, such as:
- A consumer can write to a company indicating that they believe their privacy rights have been violated - for instance, they have opted out, but their data is still being collected and sold. If true, and if it's not cured within 30 days, the consumer can bring a class-action lawsuit against the company, or the attorney general can prosecute. If the AG prosecutes, then fines of up to $7500 per violated consumer (record) can be thrust upon the company, which can result in millions of dollars in fines, making breaches all the more costly.
- The law also stipulates that companies must have a “clearly visible footer on websites offering consumers the option to opt-out of data sharing.” If that footer is absent, whether it be intentional or not - or if the customer is unable to find out (via request) how, why, and where their data is collected and sold, customers can sue. It is essential to note once again that companies have 30 days to comply with requests and data privacy violations.
Massive fees can be involved when companies do not comply with the stipulations and provisions of the CCPA bill. Amendments may come about, but as of now, fines include up to $750 per record that is breached and up to $7500 in civil penalties (by the Attorney General) for each record that is illegally collected/sold or not deleted when a breach occurs.
For large businesses, $7500 may not seem like much, but multiplying that by the number of illegally collected/sold records that are leaked during a breach can equate to staggering amounts. For instance, with the Uber case, fines would be $7500 multiplied by 57 million records if intentional privacy violations had occurred. These costs, however, do not include other penalties associated with breached records, such as:
- Violating PCI-DSS
- Expenses related to lawsuits attributed to the theft of consumer credit card data (litigation costs)
- Loss of revenue from loss of customers (damage to brand and lack of trust)
- Aa reduction in employee trust
- Increased customer churn
- The costs associated with hardening, patching and securing data systems
- Costs of remediating and changing product lineups and operations
- Costs to deal with exfiltration
- Costs to deal with further risk assessments, threat modeling, and security testing to ensure that future breaches don’t occur
As can be seen, data breaches and privacy violations are now an issue that can break a company’s financial backbone.
For the first time, CCPA provides that the everyday consumer can bring class-action lawsuits against large companies who have violated their privacy laws and rights for damages, even if the Attorney General does not prosecute with civil penalties. Class-action lawsuits provide people, who otherwise would not have an individual case, to collectively sue a company for damages that span across the spectrum of consumers (victims in this case). Such as with the Uber case where 57 million records were breached. The company took over a year to own up to the breach by actively concealing the truth of the matter.
How Can Businesses Achieve Compliance?
Businesses need to comply with the CCPA bill’s provisions and laws to cover themselves from financial and brand damage that could result in bankruptcy or significant losses in customers, both of which significantly affect a company’s bottom line.
The steps needed to comply are complicated but feasible, and can be broken down into two major categories associated with data privacy and data security:
- Internal Optimization: Internal procedures and “business as usual” needs to be strategically altered so that data is secure, and all privacy rights of consumers are respected. Strategizing steps should include the CEO, CIO, CISO, and board members, along with the CFO and COO.
Data Security: Business executives should ensure that their entire IT networks, data warehouses, and IT infrastructure is hardened, secure, and unable to be breached. This can include utilizing threat modeling, risk assessments, vulnerability analyses, and penetration tests.
Data Privacy: Websites and all e-commerce and social media platforms should include opt-out options in clear language. Executives should strategically ensure systems allow quick removal of consumer PII at the customer’s request, and for a system to be in place to disseminate to consumers how and why their data is being collected, and to whom their data is being sold.
- External Optimization: External vendors and third-parties should be audited to ensure that all data being sold to said parties meets the strict provisions of the CCPA so that the company complies with the new law.
Adjust Internal Procedures
Internal procedures need to be altered and optimized to both be in compliance with the law and to enable the pertinent employees to quickly reply to consumer requests concerning accessing or removing consumer data. Data tracking systems should have already been put in place since the CCPA stipulates that consumers can ask for data collection records up to 12 months back from when the law comes into effect.
Amend Privacy Policies on Websites
It is not only necessary but critical that companies update their digital properties and online assets to allow consumers to opt-out of having companies collect and sell their data. Additionally, channels should be put into place to enable consumers to audit their data quickly and to request that their data be deleted from company databases and data-warehouses.
Evaluate Partners and Vendors
As companies become affected by the practices involved in collecting, sharing, and selling data, the need for businesses to screen all parties associated with their data-collection and selling efforts arise to ensure that they are covered and are in full compliance with the CCPA bill. This is important since companies may utilize the services of data brokers who are illegally selling the data of consumers that have opted-out of data collection efforts or who have requested their data to be deleted. Businesses should also be aware of who they are selling customer data to. The reason being that in the event a consumer wishes to have their data deleted, all parties who received said data should ensure that the customer data is deleted, even among the third-parties that were recipients of that data.
Responsibility and Accountability
The creation of data privacy laws protect consumers and allow customers the freedom to control their private data. Nevertheless, it is the responsibility of companies to ensure that their internal behaviors are ethically inline with their business model of selling the relevant products or services. The rise of new data protection laws means that businesses must undergo due diligence so that their consumer’s data is protected and to ensure that they are held accountable for how they utilize consumer data.
Businesses should proactively work towards achieving compliance, both to protect its consumer’s privacy rights, and to avoid massive financial consequences, either in the form of fines from the Attorney General or customer lawsuits. Being proactive means strategically altering “business as usual” to ensure that strict data security policies are in place to protect consumer data. Workflows should be changed so that all consumer requests (associated with their privacy rights) can be acted upon swiftly and correctly. Legal aid may also help companies reach compliance more quickly.
Companies outside of California should begin to strategically modify and optimize their internal workings since California’s influence may mean that a federal law encompassing provisions like the CCPA may come into being soon. Complying with these laws will not only protect consumers but will gain their trust and ensure that more loyal brand ambassadors help to increase your company’s top line.
Found this post useful? Get more insights from our collection of blogs here.