In this article, we'll break down what the CCPA means for businesses operating in California. We’ll explain the importance of complying, and how to start doing so.
Modern technology allows businesses to collect vast amounts of personal data. This can be very valuable, as it helps businesses to create better products and deliver personalised experiences to consumers.
But mass data collection has also raised serious concerns about data being misused for profit or falling into the hands of cybercriminals. Increased awareness of these risks brought about the California Consumer Privacy Act (CCPA), a landmark statute that gives Californians greater control of their personal data.
The California Consumer Privacy Act (CCPA) - and its amended version, the California Privacy Rights Act (CPRA) - protects the data privacy rights of the state’s residents. The regulation sets out strict requirements for handling consumer data as a business.
The regulation is modelled after the EU’s General Data Protection Regulation (GDPR), introduced in response to the boom in the buying and selling of consumer data. Experts predict this lucrative industry will grow to $450 billion by 2030, but until recently it was largely unregulated.
A data collection free-for-all poses a threat to both individual privacy rights and cybersecurity, as high-profile data breaches and privacy scandals like the Facebook-Cambridge Analytica scandal have shown. For this reason, there was a clear need for regulators to make sure that consumers are asked for proper consent before sharing their personal data, as well as to ensure it isn’t being misused or put at risk by organisations that collect it.
The CCPA applies to for-profit businesses operating in California that collect or process the data of the state’s residents.
To fall under the CCPA, businesses must meet at least one of the following criteria:
The CCPA does contain some exemptions, such as for data regulated by certain federal laws like the Health Insurance Portability and Accountability Act (HIPAA). It also exempts certain entities like non-profits and healthcare providers.
The CCPA codifies six key data privacy rights, which businesses need to respect to be compliant:
The CCPA also mandates data minimisation from companies. This is the practice of only collecting the data the business needs from its consumers, rather than gathering all kinds of information that isn't directly relevant to their service or operation.
Additionally, the CCPA requires businesses to implement and maintain ‘reasonable security procedures and practices’. The term "reasonable" isn’t explicitly defined by the statute. However, the California Attorney General has said that industry-accepted security frameworks should be followed. These include the likes of the ISO/IEC 27000 standards, CIS Controls, the NIST Cybersecurity Framework, and PCI DSS.
Complying with GDPR doesn’t guarantee CCPA compliance, and vice versa. Despite similar objectives, the GDPR and CCPA are ultimately two separate sets of regulations with different requirements. Examples of key differences include:
It’s also worth noting that there are key differences between different US states’ data privacy laws. The CCPA has some broader and more detailed requirements than other state privacy laws like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA).
In short, you need to comply with the local data privacy laws for every jurisdiction your business operates and collects consumer data in. Businesses need to determine what each regulation requires of them and then make the necessary changes to follow the requirements.
Organisations audited and found not to be complying have 30 days to fix the issues discovered. If not, they face fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Individuals can also bring private lawsuits and sue for damages up to $750 per breach.
As breaches rarely involve a single individual, these numbers can stack up, meaning that fines can be significant. For example, French retailer Sephora was hit with a $1.2 million fine, and DoorDash was recently fined $375,000.
Not complying with the CCPA can also damage your reputation. Being seen not to respect data privacy erodes trust with your customers, investors and partners, leading in turn to lost business.
A Cisco study shows that 81% of respondents believe an organisation's treatment of personal data reflects whether it respects its customers. Consumers are increasingly willing to take action over these concerns: 37% say they’ve switched providers over data privacy practices. This means that the long-term financial consequences of reputational damage could be even greater than any fines.
Businesses often store consumer data in SaaS applications like Google Drive. Making sure that this SaaS data is protected is crucial for complying with the CCPA, which is where Metomic can help.
If you want to learn more about how Metomic helps you protect sensitive consumer data and comply with the CCPA, take a look at how we helped Zappi secure their Google Workspace and respond more quickly to possible data leaks.