CCPA is in effect - Now What??

On Jan 1st, 2020 as many of us were sleeping off the revelry from the previous night, silently the CCPA (California Consumer Protection Act) went into effect.

GDPR has been in effect for some time now, but it has mostly been viewed as a European thing not relevant to US companies if they don't do business with Europe. With CCPA, the lines get more blurry with US companies as many do business with people who are California residents.

Why do we care about data protection acts?  Everyday there are more companies with news of a new data breach. Companies have been very irresponsible in how they secure the data that they collect. Consumers must be protected. 

Cyber Security Statistics from 2019

  • Almost 15 Trillion Records have been lost or stolen since 2013
  • Cybercrime gains $1.5 Trillion in profits each year
  • Cybercrime costs businesses $6 Trillion annually in damages
  • USA is #1 in Data Breaches
  • The Capital One Breach in 2019 exposed 100 Million accounts
  • The Facebook Breach in 2019 exposed 540 Million accounts
  • If trends continue, by 2023, we will see 33 Billion Records stolen annually

https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/

Who is impacted by CCPA

All California residents are protected regardless of their relationship with the organization (consumers, business leaders, employees) or whether the information is online or offline.

Which companies must comply?

  • Companies that handle personal information - any information that identifies a consumer of a household - of as few as 50K devices, individuals or households annually
  • Businesses with a revenue of $25M or more
  • Business earning at least half its revenue by selling the personal information of California residents

CCPA Timelines

  • Early 2018 - Consumer Right to Privacy Act of 2018 (in response to the Cambridge Analytica exposure)
  • May 25, 2018 - GDPR in effect
  • June 28, 2018 - CCPA enacted
  • Sept 13, 2018 - CCPA final bills voted on
  • Jan 1, 2020 - CCPA in effect
  • July 1, 2020 - CCPA enforced

So, while CCPA is currently in effect you won't be assessed fines or penalties until July. 

More States to Come

Along with California, many other states are also enacting their own data protection acts. 

  • These states started legislation but it appears to not be moving forward. It could respark at any time.
    • Washington
    • Mississippi
    • New Mexico
    • Texas
    • Rhode Island
  • Hawaii has a bill that would prohibit the sale of location data of smartphones without explicit consent
  • Nevada signed a bill which gives consumers the right to opt out of the sale of covered information by internet service providers and websites
  • Maine is poised to sign a bill that would prohibit internet service providers from selling data without consent (Minnesota is introducing similar legislation)
  • New York has proposed a CCAP-like law (S5462)

GDPR PII

GDPR Personally Identifiable Information

  • Name
  • Identification number
  • Email address
  • Online user information
  • Social media posts
  • Physical, physiological or genetic information
  • Medical information
  • Financial information
  • Location
  • IP address
  • Cookies

CCPA PII

Includes the GDPR PII but it also includes any information that would identify a "household"

  • Physical characteristics
  • Phone number
  • Education
  • Employment / employment history
  • Personal property / purchasing history
  • Biometric information
  • Geolocation data

CCPA PII - Consumer

CCPA also includes any inferences drawn about a consumer reflecting:

  • Consumer preferences
  • Characteristics
  • Psychological trends
  • Preferences
  • Predispositions
  • Behavior
  • Attitudes
  • Intelligence
  • Abilities
  • Aptitudes

CCPA Rights - Paraphrased

  • Disclosure – You must tell people what information is collected
  • Access – You must tell people how their data will be used
  • Deletion – You must delete all data upon request
  • Anti Discrimination – You can’t discriminate against people exercising their CCPA rights
  • Opt Out – You must give consumers the ability to opt out
  • Minors – You can’t sell any information on minors
  • Privacy Policy – You must keep it updated
  • Loyalty Programs – You can’t sell data associated with customer loyalty programs
  • Facial Recognition – If you have a brick and mortar, you must disclose the use of any facial recognition technology

CCPA grants these rights

  • The right to be informed of categories of personal information that a business collects or otherwise receives, sells or discloses about them
  • The right to be informed of the purposes of these activities
  • The right to be informed of the categories of parties to which their PII is disclosed
  • The right to prohibit a business from selling their personal information
  • The right to request that a business deletes their personal information

To prepare for CCPA, companies should

  • Be able to determine exactly what data they possess about a given person and to determine where it resides
  • Establish a clear set of expectations for handling compliance with CCPA
  • Determine a crisis management plan for breaches
  • Educate your employees about data sensitivity while both at rest and in transit

CCPA Penalties

  • CCPA has penalties of $2500 to $7500 for each intentional violation
  • Additionally, CCPA provides that in the event of a data breach a business may have to compensate the consumer from $100 to $750 per record breached

Non-Compliance with CCPA

Let's say that there are 1000 customers who wish to be deleted

  • If the data can’t be identified and deleted within 30 days after warning of non-compliance
  • Each instance costs $2500 in civil fines ($2.5M in fines)
  • If it was intentional it’s $7500 ($7.5M in fines)
  • If there is a breach and the info was not encrypted or redacted then they can bring additional civil action of $100-$750 per incident or actual damages ($100K to $750K)

CCPA does not apply to:

  • Medical information governed by the California Confidentiality of Medical Information Act or HIPAA
  • Financial information and Personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA)
  • The Drivers Protection Act (covering motor vehicle and drivers license info)
  • California Financial Information Privacy Act
  • Information that is publicly available from federal, state or local records

IDERA Products for Data Protection:

  • ER/Studio Enterprise Team Edition can help you to document your data processes and incorporate data standards into your enterprise data architecture
  • SQL Compliance Manager can help to detect breaches and audit your information to make sure that the wrong people aren’t accessing your data
  • SQL Secure can manage user permissions and audit privacy and encryption standards
  • SQL Safe Backup can help to encrypt the data in your backups
  • SQL Inventory Manager can verify that your servers are patched and up to date

Download a trial copy of our products at https://www.idera.com/

Anonymous