The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.
But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach.
We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.
Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, taking away some of the ambiguity and pushing the state statute closer to the GDPR.
- Gives consumers the right to opt out of sharing their data. That means publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link.
- Enforces a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected. Remember, consumers must be informed about how their data will be use before it is collected.
- Creates an agency to enforce compliance and dish out fines. The new regulatory body – California Privacy Protection Agency – has dedicated resources and the power to determine whether or not a violation was intentional or not.
While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options.
What does this mean for you? Organizations must ensure compliance with the CPPA, integrating the demands of the CPRA. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.
Scope of the CCPA
Who is covered by the CCPA?
The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA.
A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds:
- It has annual gross revenues in excess of $25 million
- It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices
- It earns 50 percent or more of its annual revenues from selling consumers’ personal information
Does the CCPA only apply to big businesses?
At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”
But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)
Therefore, a company is likely to be covered by the CCPA if its website or mobile app:
- Uses third-party advertising or analytics cookies (or similar technologies), and
- Generates at least 50,000 unique hits originating in California per year.
“If you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA. ”
Does the CCPA cover non-Californian companies?
It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above.
Does your business collect the personal information of California residents? It does if they:
- Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors)
- Sign up to your newsletter
- Make an enquiry about your services
That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.
What is “Personal Information” under the CCPA?
The CCPA defines “personal information” as:
“…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.
While this list is not exhaustive, it includes:
- Email address
- IP address
- Cookie data
- Device ID
- Biometric data
- Geolocation data
It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.
Think about it. When you buy something on an e-commerce website, what information do you provide?
What is a “Service Provider” under the CCPA?
A service provider is a legal entity that processes personal information on behalf of a business.
For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business.
A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract.
In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client. Service providers can also receive civil penalties (more on that here) in certain circumstances.
Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog!
Violating the CCPA
What is the CCPA’s Private Right of Action?
Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.)
But, what happens if a consumer does pursue this private right of action? It can lead to:
- Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident.
- Actual damages — an amount of money paid to each consumer, based on what they have actually lost as the result of a breach.
In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion.
What are the CCPA’s civil penalties?
The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA.
The CCPA’s civil penalties can be for an amount of:
- Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out.
- Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.
Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more.
The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty.
While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated.
Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines:
- €50 million (Google, France)
- €27.8 million (TIM telecommunications company, Italy)
- €204.6 million (British Airways, UK — not yet enforced)
“According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches.”
CCPA Data Security Requirements
What counts as a data breach under the CCPA?
The CCPA defines a data breach as:
“…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”
Here are the key elements of this definition:
- Unauthorized access
- A failure to “maintain reasonable security procedures and practices”
Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog.
According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches.
In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen.
What is “reasonable security” under the CCPA?
The CCPA doesn’t define “reasonable security procedures and practices.”
However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.
“The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
The CIS Critical Security Controls include:
- Email and web browser protection
- Malware protection
- Application software security
It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.
CCPA Consumer Rights
What are the CCPA Consumer Rights?
The CCPA’s consumer rights are:
- The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them.
- The right to delete — consumers may request that a business deletes the personal information it holds about them.
- The right to opt out — consumers may instruct a business not to sell their personal information
- The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights.
- The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13.
In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.
What are the CCPA’s notice requirements?
Under the CCPA, businesses must provide up to four types of notice to consumers:
- Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why.
- Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising.
- Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.”
What counts as “selling” Personal Information under the CCPA?
The CCPA defines “selling” personal information as:
“…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.” And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.”
Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes.
How can Tessian help with CCPA compliance?
While some parts of the CCPA are still open to debate, we know the following facts for certain:
- Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties.
- Failure to implement reasonable security procedures and practices will:
- Increase the likelihood of a data breach occurring, and
- Lead to more substantial fines and more serious legal claims.
- As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.”
Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices.
- Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person.
- Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients.
- Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information.
Learn more about Tessian’s solutions by booking a demo.