Key Points:

• The California Consumer Privacy Act (CCPA) aims to safeguard the personal data of Californians in light of increasing data collection by businesses.
• Key requirements for CCPA compliance include respecting consumers' data privacy rights, implementing data minimisation practices, and maintaining reasonable security procedures.
• There are serious risks associated with non-compliance, such as hefty fines, private lawsuits, and damage to brand reputation.
• Metomic data security software can help organisations comply with CCPA by monitoring SaaS applications in real time to detect the sharing of sensitive personal data, helping you to meet CCPA data protection requirements.

Modern technology allows businesses to collect vast amounts of personal data. This can be very valuable, as it helps businesses to create better products and deliver personalised experiences to consumers.

But mass data collection has also raised serious concerns about data being misused for profit or falling into the hands of cybercriminals. Increased awareness of these risks brought about the California Consumer Privacy Act (CCPA), a landmark statute that gives Californians greater control of their personal data.

What is the CCPA and why was it introduced?

The California Consumer Privacy Act (CCPA) - and its amended version, the California Privacy Rights Act (CPRA) - protects the data privacy rights of the state’s residents. The regulation sets out strict requirements for handling consumer data as a business.

The regulation is modelled after the EU’s General Data Protection Regulation (GDPR), introduced in response to the boom in the buying and selling of consumer data. Experts predict this lucrative industry will grow to $450 billion by 2030, but until recently it was largely unregulated.

A data collection free-for-all poses a threat to both individual privacy rights and cybersecurity, as high-profile data breaches and privacy scandals like the Facebook-Cambridge Analytica scandal have shown. For this reason, there was a clear need for regulators to make sure that consumers are asked for proper consent before sharing their personal data, as well as to ensure it isn’t being misused or put at risk by organisations that collect it.

Who does it apply to?

The CCPA applies to for-profit businesses operating in California that collect or process the data of the state’s residents.

To fall under the CCPA, businesses must meet at least one of the following criteria:

• Have annual gross revenue exceeding $25 million;
• Buy, sell, or share the personal data of at least 100,000 California residents or households annually;
• Generate at least half of their annual revenue from selling the personal information of California residents.

The CCPA does contain some exemptions, such as for data regulated by certain federal laws like the Health Insurance Portability and Accountability Act (HIPAA). It also exempts certain entities like non-profits and healthcare providers.

What are the key CCPA requirements?

The CCPA codifies six key data privacy rights, which businesses need to respect to be compliant:

• Right to Know: Businesses must respond to consumer requests to provide the personal data collected, its usage, and who it's shared with.
• Right to Delete: Businesses must implement a system to handle consumer requests to delete their personal data.
• Right to Opt-Out of Sale/Sharing: Businesses must allow consumers to opt out of the sale or sharing of their personal information.
• Right to Non-Discrimination: Businesses can’t discriminate against consumers for trying to invoke their data privacy rights.
• Right to Correction (CPRA addition): Businesses must have a process to address and correct inaccurate personal information about consumers.
• Right to Limit Use/Disclosure of Sensitive Data (CPRA addition): Businesses must have processes to address consumer requests to limit the use and disclosure of certain sensitive personal information. This also means not demanding excessive information from consumers making such requests, according to a recent advisory.

The CCPA also mandates data minimisation from companies. This is the practice of only collecting the data the business needs from its consumers, rather than gathering all kinds of information that isn't directly relevant to their service or operation.

Additionally, the CCPA requires businesses to implement and maintain ‘reasonable security procedures and practices’. The term "reasonable" isn’t explicitly defined by the statute. However, the California Attorney General has said that industry-accepted security frameworks should be followed. These include the likes of the ISO/IEC 27000 standards, CIS Controls, the NIST Cybersecurity Framework, and PCI DSS.

Does complying with GDPR make you CCPA compliant too?

Complying with GDPR doesn’t guarantee CCPA compliance, and vice versa. Despite similar objectives, the GDPR and CCPA are ultimately two separate sets of regulations with different requirements. Examples of key differences include:

• Applicability: GDPR applies broadly to any organisation processing EU resident data. CCPA is more specific, targeting businesses above a certain size or those dealing with a large amount of Californian resident data.
• Scope: CCPA covers household and device data, while GDPR doesn’t.
• Sensitive data: GDPR offers stricter protections for specific sensitive data types, while the CCPA doesn't make this distinction.
• Consent: GDPR requires clear user consent before processing data, while CCPA allows businesses to automatically track data while giving users an opt out option.

It’s also worth noting that there are key differences between different US states’ data privacy laws. The CCPA has some broader and more detailed requirements than other state privacy laws like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA).

In short, you need to comply with the local data privacy laws for every jurisdiction your business operates and collects consumer data in. Businesses need to determine what each regulation requires of them and then make the necessary changes to follow the requirements.

What are the risks of not complying?

Organisations audited and found not to be complying have 30 days to fix the issues discovered. If not, they face fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Individuals can also bring private lawsuits and sue for damages up to $750 per breach.

As breaches rarely involve a single individual, these numbers can stack up, meaning that fines can be significant. For example, French retailer Sephora was hit with a $1.2 million fine, and DoorDash was recently fined $375,000.

Not complying with the CCPA can also damage your reputation. Being seen not to respect data privacy erodes trust with your customers, investors and partners, leading in turn to lost business.

A Cisco study shows that 81% of respondents believe an organisation's treatment of personal data reflects whether it respects its customers. Consumers are increasingly willing to take action over these concerns: 37% say they’ve switched providers over data privacy practices. This means that the long-term financial consequences of reputational damage could be even greater than any fines.

How can Metomic help with CCPA compliance?

Businesses often store consumer data in SaaS applications like Google Drive. Making sure that this SaaS data is protected is crucial for complying with the CCPA, which is where Metomic can help.

• Metomic monitors SaaS applications in real time to detect the sharing of sensitive personal data, helping you to meet CCPA data protection requirements.
• Its monitoring capabilities provide insights into the location of sensitive personal data and how it is managed by employees.
• Thanks to automatic retention periods for sensitive data, security teams can make sure that the data isn't kept longer than necessary for its purpose. This helps to meet CCPA data minimisation requirements.

If you want to learn more about how Metomic helps you protect sensitive consumer data and comply with the CCPA, take a look at how we helped Zappi secure their Google Workspace and respond more quickly to possible data leaks.