CCPA FAQs: Your Guide to California's New Privacy Law

Table of Contents

Who is covered by the CCPA?

Does the CCPA only apply to big businesses?

Does the CCPA cover non-Californian companies?

What is “Personal Information” under the CCPA?

What is a “Service Provider” under the CCPA?

What is the CCPA’s Private Right of Action?

What are the CCPA’s civil penalties?

What counts as a data breach under the CCPA?

What is “reasonable security” under the CCPA?

What are the CCPA Consumer Rights?

What are the CCPA’s notice requirements?

What counts as “selling” Personal Information under the CCPA?

How can Tessian help with CCPA compliance?

The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.

But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach.

We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.

Not what you were looking for? We’ve covered the 5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Program in a seperate blog.

Scope of the CCPA

Who is covered by the CCPA?

The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA.

A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds:

It has annual gross revenues in excess of $25 million
It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices
It earns 50 percent or more of its annual revenues from selling consumers’ personal information

Does the CCPA only apply to big businesses?

At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”

But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)

Therefore, a company is likely to be covered by the CCPA if its website or mobile app:

Uses third-party advertising or analytics cookies (or similar technologies), and
Generates at least 50,000 unique hits originating in California per year.

“If you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA. ”

Does the CCPA cover non-Californian companies?

It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above.

Does your business collect the personal information of California residents? It does if they:

Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors)
Sign up to your newsletter
Make an enquiry about your services

That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.

What is “Personal Information” under the CCPA?

The CCPA defines “personal information” as:

“…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.

While this list is not exhaustive, it includes:

Name
Email address
IP address
Cookie data
Device ID
Biometric data
Geolocation data

It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.

Think about it. When you buy something on an e-commerce website, what information do you provide?

What is a “Service Provider” under the CCPA?

A service provider is a legal entity that processes personal information on behalf of a business.

For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business.

A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract.

In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client. Service providers can also receive civil penalties (more on that here) in certain circumstances.

Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog!

Violating the CCPA

What is the CCPA’s Private Right of Action?

Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.)

But, what happens if a consumer does pursue this private right of action? It can lead to:

Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident.
Actual damages — an amount of money paid to each consumer, based on what they have actually lost as the result of a breach.

In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion.

What are the CCPA’s civil penalties?

The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA.

The CCPA’s civil penalties can be for an amount of:

Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out.
Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.

Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more.

The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty.

While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated.

Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines:

€50 million (Google, France)
€27.8 million (TIM telecommunications company, Italy)
€204.6 million (British Airways, UK — not yet enforced)

“According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches.”

CCPA Data Security Requirements

What counts as a data breach under the CCPA?

The CCPA defines a data breach as:

“…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”

Here are the key elements of this definition:

Unauthorized access
Exfiltration
Theft
Disclosure
A failure to “maintain reasonable security procedures and practices”

Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog.

According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches.

In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen.

What is “reasonable security” under the CCPA?

The CCPA doesn’t define “reasonable security procedures and practices.”

However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.

“The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

California Attorney-General

The CIS Critical Security Controls include:

Email and web browser protection
Malware protection
Application software security

It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.

CCPA Consumer Rights

What are the CCPA Consumer Rights?

The CCPA’s consumer rights are:

The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them.
The right to delete — consumers may request that a business deletes the personal information it holds about them.
The right to opt out — consumers may instruct a business not to sell their personal information
The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights.
The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13.

In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.

What are the CCPA’s notice requirements?

Under the CCPA, businesses must provide up to four types of notice to consumers:

Privacy Policy — details which categories of personal information the business has collected, used, disclosed, and sold over the past 12 months. Every businesses must include a clear and prominent link to its Privacy Policy on its website and/or app.
Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why.
Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising.
Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.”

What counts as “selling” Personal Information under the CCPA?

The CCPA defines “selling” personal information as:

“…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.” And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.”

Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes.

How can Tessian help with CCPA compliance?

While some parts of the CCPA are still open to debate, we know the following facts for certain:

Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties.
Failure to implement reasonable security procedures and practices will:
- Increase the likelihood of a data breach occurring, and
- Lead to more substantial fines and more serious legal claims.
As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.”

Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices.

Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person.
Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients.
Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information.

Learn more about Tessian’s solutions by booking a demo.

Stay Compliant With Tessian

Book a Demo Now

Compliance

US Data Privacy Laws 2020: What Security Leaders Need to Know

13 July 2020

When it comes to privacy and data security, the United States has a less strict regulatory environment than many other major economies, such as the European Union. However, several states have passed laws in recent years that impose significant requirements on businesses handling the personal information of US residents.There are also some tough sector-specific federal privacy laws that you might not realize you need to comply with. This guide will help you understand: Which US state and federal privacy laws apply to your business What the laws require The consequences of a violation Let’s start with state laws. State Laws While these are “US state privacy laws”, they actually apply to businesses around the world. Why? Because it doesn’t matter where your business is located, it matters whose personal information you’re handling. We’ll give examples below, with a focus on the three broadest and strictest US state privacy laws. California Consumer Privacy Act (CCPA) The California Consumer Privacy Act (CCPA) came into full force in 2020 and is California’s state law that many people are (justifiably) comparing to the European Union’s world-leading General Data Protection Regulation (GDPR). If you’re interested, you can read the full text here. Who Does the CCPA Apply to? Although the CCPA was written with big tech companies in mind, it affects businesses across sectors. The CCPA covers any business handling the personal information of California residents (regardless of whether the business has any physical presence in the state) that meets one of the following three thresholds: It has gross revenues in excess of $25 million per year, It buys, sells, receives or shares for commercial purposes the personal information of at least 50,000 California consumers or households per year, OR It derives 50 percent or more of its annual revenues from selling consumers’ personal information Note that, due to the CCPA’s broad definition “personal information” — and of what constitutes “selling” personal information — a company may fall under threshold “B” if: It operates a website or app that uses third-party cookies for advertising or analytics, and The website or app attracts at least 50,000 California visitors or users per year.

What Are the Main Requirements Under the CCPA? The CCPA’s main obligations include: Notice: Businesses must provide consumers with notice of how they collect, use, and share personal information. This necessitates a comprehensive Privacy Policy. Control: Businesses must allow consumers to access and delete their personal information. How? By allowing consumers to opt out of the sale of their personal information. Security: Businesses must apply reasonable security procedures and practices to safeguard the personal information they store. This may include malware protection, staff training, and email security. Violating any part of the CCPA can lead to civil penalties of: Up to $2,500 per unintentional incident (such as failing to implement proper security protections, leading to a data breach). Up to $7,500 per intentional incident (such as deliberately selling the personal information of consumers who have “opted out”). Data breaches can be particularly heavily penalized under the CCPA’s private right of action, with statutory damages of up to $750 per consumer, per incident. Failing to implement proper data security practices could, therefore, lead to class action lawsuits in the billions of dollars, depending on the severity and extent of the breach. That’s why it’s so important organization’s level-up their cybersecurity. Still have questions? We answered 13 FAQs about the CCPA in this article. We also outline the 5 Things CISOS Should Know About The CCPA here. New York SHIELD Act The New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) is a New York State Act that came into full force in 2020. Again, if you want to read the full text, you can find it here. In a sentence, it’s a data breach notification law that imposes data security standards on covered businesses. Who Does the NY SHIELD Act Apply to? The NY SHIELD Act applies to “any person or business that owns or licenses computerized data which includes private information of a resident of New York.” This includes businesses with no physical presence in the state. So, what’s “private information”? The Act’s definition is complex, but, broadly, it includes: A person’s full name, or first initial and last name, plus At least one of the following unencrypted (or compromised) data elements: Social security number, Driver’s license or other ID number, Bank account or credit card number (plus security code or PIN), Biometric data. OR: An email address or username, plus A password, “secret question” answer, or any other means of access. It’s important to note that gaining access to these data points is easier than you might think. Just look at your mailing list. What Are the Main Requirements Under the NY SHIELD Act? The NY SHIELD Act consists of two parts: Data breach notification: Businesses must report any breach of the private information of New York residents to the affected persons and to various New York authorities “in the most expedient time possible and without unreasonable delay.” Data security program: Businesses must implement reasonable administrative, technical, and physical security measures to safeguard the private information of New York residents. This must include: Risk assessment of how employees transfer and communicate private information, Appropriate software protection such as email security, Staff training on privacy and data security. Violating the SHIELD Act’s data breach notification requirements can lead to a civil penalty of up to $250,000. Oregon Consumer Identity Theft Protection Act (OCIPA) The Oregon Consumer Identity Theft Protection Act (OCIPA) (previously the Oregon Consumer Identity Theft Protection Act) is an Oregon state law that received significant amendments in 2019 (available here). It is a data breach notification law that imposes data security standards on covered businesses. Who Does OCIPA Apply to? OCIPA law applies to “any person that owns, maintains or otherwise possesses” the personal information of Oregon residents. OCIPA defines “personal information” in much the same way as the NY SHIELD Act, with two additional types of information included: Health insurance policy numbers and other health-related identifiers, Information about a person’s physical or mental diagnoses or history. This means that those working in healthcare have to be especially careful. You can read more about the frequency of data loss incidents in this specific sector in our blog: Data Loss Prevention in Healthcare. What Are the Main Requirements Under the OCIPA? Like the NY SHIELD Act, OCIPA requires businesses to implement a “data security program” to maintain administrative, technical, and physical safeguards over the personal information they possess. An OCIPA data security program must include measures such as: Designating an employee to oversee the program, Safeguarding against and and responding to cyberattacks Implementing anti-malware and email protection software Any data breach must be reported to the individuals affected “without unreasonable delay, but not later than 45 days” after discovering the breach. If the breach affects 250 or more Oregon residents, it must be reported to the Oregon Department of Justice. The maximum fine for failing to properly report a breach is $25,000 per violation. Next up: three of the most important US federal privacy laws. These are sector-specific, but they each apply more broadly than you might expect. Federal Laws Children’s Online Privacy Protection Act (COPPA) The Children’s Online Privacy Protection Act (COPPA) is a federal law first passed in 1998 and it covers the provision of goods and services to children. You can read the full text here, but we’ve answered key questions below. Who Does COPPA Apply to? COPPA applies to anyone who operates a commercial website, online service, or mobile app that is: Directed at minors under the age of 13, or Knowingly collecting the personal information of minors under the age of 13. While we can’t write an extensive list of all the different websites, services, or apps that meet these requirements, think of brands like Disney, Hasbro, and Mattel. Importantly, COPPA applies to non-US companies and content creators using platforms such as YouTube and TikTok. Personalized advertising is a big target of COPPA enforcement. IP addresses and device IDs qualify as “personal information” under the Act. Most websites and apps collect this type of information. What Are the Main Requirements Under COPPA? Under COPPA, businesses are required to: Provide privacy notices to parents, Obtain parental consent before collecting, using, or sharing children’s personal information, Allow parents to opt out of the processing of children’s personal information, Allow parents to access their children’s personal information, Collect the minimum personal information necessary from children, Protect the confidentiality, security, and integrity of children’s personal information by maintaining reasonable security practices. Violating COPPA can lead to fines of up to $43,280 per incident. In 2019, Google settled an alleged COPPA violation with the FTC for $170 million Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) is a federal law first passed in 1996. As the name suggests, it covers the healthcare sector. Who Does HIPAA Apply to? HIPAA applies to “covered entities,” including: Healthcare providers (e.g. doctors, physiotherapists, nursing homes, pharmacists, dentists, etc.) Health plans (e.g. health insurance companies, employee-sponsored health plans) Healthcare clearinghouses (e.g. billing services, community health information systems) Covered entities process “protected health information” (PHI), which covers 18 categories of personal information including: Names Email addresses IP addresses Medical record numbers IP addresses While “covered entities” deal directly with health information, HIPAA also applies to subcontractors of covered entities that require access to PHI. Such subcontractors are known as “business associates.” Some common types of companies that act as “business associates” include: Third-party claims management administrators Lawyers Medical transcriptionists Data analysts What Are the Main Requirements Under HIPAA? HIPAA places strict obligations on how covered entities and business associates process PHI, with rules covering: Privacy: Providing access to PHI to individuals (this is optional, unlike “the right to access” under the CCPA) Providing Privacy Notices when collecting or disclosing PHI, Training employees on matters of patient privacy. Security: Assessing the risk to PHI from cybersecurity threats, Implementing anti-malware and email protection software, Reporting actual or suspected cyberattacks to the Office for Civil Rights as soon as possible, and within 60 days. Remember that privacy and security threats can come from outside or inside your organization. In 2017, the Department for Health and Human Services settled an investigation with a HIPAA covered entity for $5.5 million after a trusted employee leaked the PHI of 80,000 individuals. You can read more about incidents involving Insider Threats (including two instances involving the NHS) in this blog: Insider Threat Types and Real-World Examples.) Penalties under HIPAA can range from $100 to $50,000 per violation. Gramm-Leach-Bliley Act (GLBA) The Gramm-Leach-Bliley Act (GLBA) is a federal law first passed in 1999 (available here). It covers the financial sector. Who Does the GLBA Apply to? The GLBA covers “financial institutions,” but this definition is broader than you might expect. The FTC defines a “financial institutional” as any business that is “significantly engaged in providing financial products or services.” So, alongside banks and investment firms, the GLBA covers following types of businesses: Check-cashing businesses Payday and other non-bank lenders Mortgage brokers Real estate appraisers Professional tax preparers Certain courier services What Are the Main Requirements Under the GLBA? One of the chief obligations under the GLBA is to develop a written security program explaining how your business safeguards consumer information. When it comes to creating a security program, GLBA’s requirements are fairly flexible, and include: Designating an employee to oversee the program, Identifying risks in each area of operation, and assessing the security safeguards relevant to that area, Adjusting the program in light of relevant risk factors and technological developments. While the GLBA’s security program requirement leaves plenty of room for maneuver, covered businesses would be expected to implement basic cybersecurity protections such as the encryption of consumer information and company-wide installation of security software, including data loss prevention solutions. GLBA violations incur particularly heavy penalties, including fines of up to $100,000 per violation and/or up to five years in prison. But, that isn’t deterring professionals working in Financial Services from mishandling data. According to Tessian research, the majority of employees have accidentally or intentionally exfiltrated data. How can I stay compliant?

While every data privacy law is slightly different, each is consistent in saying that businesses must implement and maintain a cybersecurity program. Tessian helps organizations across sectors stay compliant by protecting data on email. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Learn more by booking a demo. Or, you can read through our customer stories, including those operating in Healthcare and Financial Services.

CCPA FAQs: Your Guide to California’s New Privacy Law