What is CCPA?
The California Consumer Privacy Act (CCPA) was enacted on June 28, 2018, and will come into effect on January 1, 2020. It is a privacy act designed to protect Californians’ rights
to access and delete the data that companies collect about them. The CCPA also allows users to opt out of their data being sold.
CCPA applies to any organization that conducts business in California and meets one of the three following conditions:
- Earns $25 million or more in revenue per year.
- Annually buys, receives, sells, and/or shares the personal information of 50,000 or more consumers, households, or devices, alone or in combination.
- Derives 50 percent or more of its annual revenue from selling consumers’ personal information.
It is important to note that because visitors to a website contribute to the number of consumers, households, or devices for which data is received, nearly all businesses will be subject to CCPA.
Does your business or agency collect, maintain or store California residents’ personal information?
Do you have Chief Information Officer, Data Privacy Officer, designated, in writing, responsible for managing and protecting personal information?
Have you conducted an analysis of how personal information is ingested, processed, and shared within the company?
Do you have a data flow diagram that shows information movement within the company’s networks?
How do you use NIST 800-171 (Appendix D) to initially and through “continuous monitoring” activities ensures the proper security exist?
How do you safeguard information in “transit” and “at-rest”?
Did you plan for data segregation of California residents?
DISC helps business owners in California to meet the new 2018 requirements of the CCPA and how to implement the National Institute of Standards and Technology’s (NIST) 800-171 cybersecurity framework. The roadmap is provided specifically to the CCPA either for a business, agency or organization that is required to meet this new State Law and describes both technical and administrative measures that will attain an acceptable level of compliance for State certifying officials. Assessment will include but not limited to compliance with policies and procedures, security strategy/plan, and plan of actions & milestones. The initial assessment will determine the as-is state of your data privacy program business, legal and regulatory requirements. DISC will provide a target state (to-be) which will include tech controls, mgmt. control, and ops control to build your data privacy program based on NIST 800-171. So basically the transition plan (roadmap) will enumerate the details of how to get from as-is state to to-be state.
Our Cybersecurity consultant support business and agencies effectively to meet the 110 security controls in NIST 800-171 which has become the de facto standard for cybersecurity compliance. It ensures that security policies and practices of the framework meet the intent of CCPA. Adequate security is defined by ”compliance” with the 110 NIST 800-171 security controls.
The board must understand the implications of the CCPA in order to support the project and allocate the resources required to complete it. A director will also need to be assigned accountability for the CCPA, and data protection risk will need to be incorporated into the corporate risk management and internal control framework.
A person or team must control this project, and they will need a significant understanding of both the business and the CCPA.
will give your team the knowledge and skills required to implement an effective compliance program and fulfill the data protection officer (DPO) role.
Once the CCPA team is aware of the ins and outs of the Regulation, it will need to work out what parts of the business fall within the scope of the CCPA (business units, territories, and jurisdictions) and identify which standards and management systems may be affected or could contribute to CCPA compliance, e.g. NIST800-171, ISO 27001. Speak to your IT team to find out if there are any projects starting soon that involve personal data, as these will be candidates for privacy by design. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but also from the inception of the product.
To assess what measures are needed to align your data processing with the CCPA, you must first identify which categories of data are held, where the data comes from and the lawful basis for processing it. There are special categories of data that entail stricter processing rules, such as getting explicit consent.
It’s essential to understand the flow of personal data within the business, as well as where it comes from and where it is sent. This will help you to identify risks in data processing activities and where controls are required.
From this, you can decide whether a data protection impact assessment (DPIA) is required to help identify, assess and mitigate or minimize privacy risks with data processing activities. The three primary conditions for a DPIA identified in the CCPA are:
may allow you to create data flow maps with a simple, easy-to-use interface.
It’s vital to get an understanding of your level of compliance with the CCPA based on NIST 800-171. A gap analysis highlights this as well as offering guidance on the key areas your organization must address.
According to the CCPA requirements, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data.
Each business will also need a privacy notice and a data protection policy, and to update or review contracts with employees and suppliers to ensure they are compliant.
Data subject access requests, incident reporting, and data breach reporting will all need written processes, too.
As your business becomes CCPA compliant, the staff needs to understand and follow the new processes and procedures. Training new staff and holding regular refreshers is essential.
CCPA compliance is a journey, not a destination. To demonstrate ongoing compliance you will need to undertake periodic internal audits and updates of your data protection processes. This includes record keeping of processing activities and consent, testing information security controls and conducting DPIAs. Don’t delay until Jan 2020 to get CCPA-ready, get help (contact us) to do initial gap assessment.
GDPR and CCPA
How CCPA differs from GDPR.
-> While GDPR requires consumers to opt-in to data collection, CCPA only offers consumers the right to opt-out. That means, CCPA still allows sites to collect users’ data when signing up to a new site or making a purchase online whereas GDPR specifically requires sites to get consent before collecting any data. This is a major difference.
-> Another difference between CCPA and GDPR is a difference between metadata and data. CCPA explicitly states that a consumer has the right to be informed of the categories of personal data, categories of sources of data, and categories of third parties that a business shares personal data with other vendors. GDPR only speaks about data and the need for plain language in terms of disclosures to data subjects.
-> Another main difference between CCPA and GDPR is that damages can be awarded to individuals. In GDPR, fines can be imposed for failures to comply that is four percent of global revenue or 20 million Euros (whichever is higher). CCPA ensures that in the event of a data breach, a business may have to compensate a consumer (per individual or household). What should be troubling for covered businesses is that, if successful, a plaintiff (consumer) can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater
Implications of CCPA
CCPA requires businesses to take
several steps, including those listed below, to come into compliance on or before the effective date of January 1, 2020.
-> Privacy policies will need to be updated. These policies must include two things, (1) a link that directs to the opt-out page and (2) the information required by the Right to know.
-> Because of the right to know and right to deletion, businesses will need to implement a framework to track and respond to potentially large numbers of consumer requests.
-> Businesses will need to be able to identify and segregate all consumer data they may sell.
-> Businesses planning on mergers, acquisitions, or transactions involving consumer data should seek legal advice to determine if and how the act would impact such a transaction.
-> Training programs will need to be developed and implemented for employees responsible for handling consumer inquiries about the business’s privacy practices or its compliance with the act.
-> Businesses will need to offer a toll-free number and a website allowing consumers to opt out.
-> For violations of the act, a business is subject to statutory damages as explained above.
As we explained the California Consumer Privacy Act to help you prepare for the effective date and make the necessary changes to ensure compliance with CCPA. If you have any further question or need any assistance regarding data privacy, please contact us. DISC has experience helping businesses create data privacy program and implement data privacy policies and procedures, our deep expertise will ensure that your transition into CCPA is straightforward and as effortless as possible.