Experiencing a cyber attack or security breach? Contact Incident Response Team!

Navigating CCPA Regulation: 8 Essential Compliance Tips for Businesses

ccpa regulation

What are CCPA Regulations?

The California Consumer Privacy Act, otherwise known as CCPA, is a Californian law that went into effect January 1, 2020. According to the State of California Department of Justice, the law “gives consumers more control over the personal information that businesses collect about them.” The CCPA law was quite groundbreaking at the time as consumers in the US previously did not have much control or say over how their personal data was collected, used, and sometimes, sold. It brought the power of users protecting their own sensitive personal information to the US, similar to how the General Data Protection Regulation (GDPR) law did for the EU.

The California Consumer Privacy Act gave California residents:

  • The right to know about the sensitive personal information collected by a business about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale or sharing of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

What businesses do the CCPA regulations apply to?

The CCPA regulations do not apply to all businesses. The State of California Department of Justice shares that:

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Let’s walk through if your organization qualifies for this regulation and how you can prepare for it:

1. $25m of revenue

  • Applicability
    • The $25 million revenue threshold applies to the business’s global revenue, not just revenue earned within California.
  • Confusion and clarification
    • As mentioned, the statute does not limit this revenue to California, and the Attorney General’s office has declined to clarify. As such, even businesses with a smaller presence in California but a global revenue exceeding $25 million may still fall under CCPA jurisdiction.

2. 100,000 California consumer records

  • Definition of consumer
    • The CCPA defines “consumers” as California residents. This means that the 100,000 threshold applies to records relating to California consumers, households, or devices only.
  • What constitutes “Receives”
    • The lack of clarity around what “receives” means has led to a conservative interpretation. Any action related to obtaining, storing, or using 100,000 or more California-related PI records may bring a business under CCPA jurisdiction. This includes both direct and indirect interactions with personal data.
  • Type of information
    • This extends to various types of personal information, such as names, addresses, email addresses, Social Security numbers, and other personal identifiers.

3. Personal information sales

  • Threshold for compliance
    • A business falls under CCPA if it derives 50% or more of its annual revenues from selling California consumers’ personal information.
  • Definition of “Selling”
    • The term “selling” is broadly defined in the CCPA to include renting, disclosing, disseminating, making available, and other actions related to personal information, provided that it’s for monetary or other valuable consideration.
  • Obligations for sellers
    • Businesses that meet this criterion have specific obligations under the CCPA, such as providing a “Do Not Sell My Personal Information” link on their website.

How to be CCPA compliant

Before the internet, brick and mortar businesses had to focus on physical security – whether that be through door locks, security guards, etc. But now, businesses must now consider both online and offline practices. In terms of online practices, organizations must consider cybersecurity and compliance with CCPA. The CCPA mandates that businesses implement reasonable security procedures to protect consumer personal information from unauthorized access, use, or disclosure.

The steps below can help you work towards CCPA compliance.

Step 1: Commit to a cybersecurity program

Proactively engage in a cybersecurity program that secures Personally Identifiable Information (PII) and prevents data breaches. Building robust cybersecurity measures is not just about compliance but also about the overall protection of sensitive data.

Step 2: Obtain Board-Level support for CCPA action

Secure support from executives and board members. Such support helps bridge the business and technical aspects of the organization, aligning efforts, and minimizing potential gaps in compliance.

Step 3: Conduct a gap analysis action

Assess your current state of compliance and identify areas that need improvement. This allows you to prioritize your efforts and resources effectively to ensure CCPA compliance.

Step 4: Inventory assets and map data flow

Maintain a detailed inventory of all assets and create a comprehensive map of data flow within the organization. Understanding where and how personal information flows are essential in implementing proper controls.

Step 5: Create policies, procedures, and processes

Develop and document specific policies, procedures, and processes to manage CCPA compliance. Having a clear framework is critical to consistent and effective data management.

Step 6: Implement a security program or partner with experts

Either implement a security program to secure personal information or partner with specialized firms like Cyber Defense Group. Expert guidance or robust internal programs can ensure that the particular requirements of CCPA are adequately met.

Step 7: Ensure employee communication and training

Implement proper communication channels and training programs related to CCPA for all relevant staff. Compliance is a team effort, and employees at all levels must understand their roles and responsibilities.

Step 8: Monitor and audit regularly

Implement a regular monitoring and auditing program, including annual assessments. Regular checks ensure that compliance efforts are sustained and effective, allowing for timely adjustments as needed.

The addition of CPRA

After the California Consumer Privacy Act (CCPA) was legislated and went into effect, the California Privacy Rights Act (CPRA) was voted on to amend CCPA in November 2020. CCPA and CPRA, along with the California Privacy Protection Agency, aid California residents in understanding how their personal information is collected, stored, and sold. Specifically, CPRA dictates how businesses are:

  • selling consumers personal information
  • collecting consumers personal information
  • disclosing if consumer data was in a data breach

With the addition of CPRA, it essential to understand if your organization has everything in place to appropriately collect, store, and sell California residents personal information, not to mention have the infrastructure in place to allow any particular consumer to know, opt out of, delete, correct, or limit the data your organization has on them

If you are looking for a trusted partner who understands the California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA) and how to implement the new privacy policies, the experts at Cyber Defense Group can help. We are dedicated to delivering cybersecurity programs that are as dynamic and forward-thinking as the businesses we serve. Schedule a free consultation today to learn more.