CCPA Compliance

What is the CCPA Act?

 

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that governs how businesses all over the world may handle California residents' personal information (PI). The CCPA went into effect on January 1, 2020. It is the first law of its kind in the United States.

The CCPA defines ‘personal data' as any information that identifies, relates to, describes, is capable of being associated with, or might feasibly be linked, intentionally or unintentionally, to a particular consumer or household. This law differs from the GDPR, ePrivacy Directive, and other privacy laws in that it includes household information in its classification of personal information.

Names, email addresses, biometric data, IP addresses, Internet of Things (IoT) information, geolocation data, professional or employment information, and other information are examples of personal information. Under the CCPA, public information is however not viewed as personal information.

The CCPA applies to any for-profit industries in the world that sell personal information of more than 50,000 California residents per year, has an annual gross revenue of more than $25 million, or derives more than half of its annual revenue from selling the personal information of California residents.

CCPA exempts "insurance entities, agencies, and support programs" because they already are privy to similar regulations under California's Insurance Information and Privacy Protection Act (IIPPA).

What are the requirements for CCPA compliance?

As a result of the CCPA, consumers have more control over the personal information that businesses collect about them, as follows:

  • The right of Californians to know what personal information is being collected about them.

  • The right of Californians to know whether their personal information is sold or disclosed and to whom.

  • The right of Californians to say no to the sale of personal information.

  • The right of Californians to access their personal information.

  • The right of Californians to equal service and price, even if they exercise their privacy rights.

If this law applies to you, the CCPA contains clear and precise compliance requirements that your company must meet:

  • Adding information to your privacy policy about how, why, and what private info you collect and process.

  • Updating your privacy policy to include information on how your users can require access, change, or erasure of personal data that you have collected.

  • Introducing a method for verifying the identity of all those making such requests.

  • Adding a link to your home page that says, "Do Not Sell My Personal Information." It will benefit your consumers by preventing you from selling their personal information.

  • Acquiring prior consent from minors aged 13 to 16 before selling their personal data. Minors under the age of 13 must have prior parental consent.

Why should you be CCPA compliant?

 

By design, the CCPA will provide significant benefits to consumers. They will have unprecedented control over their data. For starters, consumers will have the right to access all data collected about them by business organizations. They will be able to request this data for free twice a year, without fear of retaliation from organizations.

Failure to abide by the CCPA could result in hefty fines. If you do not meet CCPA requirements within 30 days of being notified, the Attorney General will file a civil case against you. In the event of a data breach, this carries the risk of a fine of up to $7500 per violation. This indicates that if you disobey the CCPA-guaranteed rights of 1000 users, you will face legal consequences.

How to achieve compliance?

 

Increased disclosures will become an essential component of compliance for companies subject to the CCPA law. When personal information is collected, organizations must create and distribute privacy notices to consumers. These privacy notices should include descriptions of how personal information is collected and used, as well as the types of personal information that the organization has managed to sell to third parties in the previous year.

Businesses must also fully disclose and notify consumers about the existence and nature of their CCPA rights. These rights provide the ability for an individual to request copies of their personal information from a business.

To meet the CCPA requirements for companies protecting their customers' PI, the Centraleyes platform includes a built-in CCPA questionnaire, automated workflows and analysis, integrated collection tools, prioritized remediation guidance, and real-time customized scoring. Using this questionnaire in an easy-to-use and streamlined platform assists organizations in collecting the necessary data in a timely manner and having a more pleasant experience as they go through the process of compliance.

 

Centraleyes has also mapped CCPA back to its extensive control inventory, allowing data to be shared across multiple frameworks via the platform, resulting in time and money savings, and more accurate data. Furthermore the platform provides visual reports non-technical senior leaders can understand - reports are built in a clean and intuitive structure, giving the cyber risk team a full view of their risk posture with the ability to dive into five different focus areas. Organizations can gain complete visibility into their cyber risk levels and compliance by using the Centraleyes platform.