A whopping 94% of organizations acknowledge that their customers will not do business with them if their data isn’t properly protected. And 91% admit they must do more to reassure customers about how their data’s being used by third-parties and new technologies, including artificial intelligence (AI).
The California Consumer Privacy Act of 2018 gives consumers more control over their data. Enacted in January 2020 and enforced by the California Attorney General's office, the law requires all businesses that collect personal data from California residents to comply with its strict regulations. The California Privacy Rights Act (CPRA) expands and strengthens these rights, imposing additional obligations and increased penalties.
The California Consumer Privacy Act (CCPA) is a law that gives California residents the right to know what personal information is being collected about them, the right to have that information deleted, and the right to refuse its sale.
It applies to any for-profit business conducting business in California that meets one or more of the following criteria:
There are five main requirements for businesses:
In addition, businesses must provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes consumers to an opt-out page.
Unlike the GDPR, which focuses on protecting specific data, the CCPA concentrates more on what constitutes sensitive information. For example, olfactory data, website browsing history, and user activity records are all included. Under CCPA, "personal information" includes:
The California Attorney General's office enforces any violation of the CCPA and can result in civil penalties of up to $2,500 per violation or $7,500 per intentional violation.
The CCPA also gives consumers the right to file a private right of action if their personal information is breached due to a business's failure to implement reasonable security measures. In such cases, consumers can recover damages of up to $750 per consumer per incident or actual damages, whichever is greater.
A "third party" under CCPA is a person or agency that receives personal information but is outside the business that collects it. This includes businesses that are exempt and any service providers that process personal information on behalf of a business. With the passage of Senate Bill 362 in October 2023, data brokers are now considered third parties and are defined by CCPA as companies that knowingly collect and sell to third parties a consumer’s personal information, even though they don’t have a direct relationship with the consumer.
Any business that doesn’t collect personal information from California residents is exempt from CCPA. Other notable exemptions are businesses governed by different privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). It also exempts businesses with less than $25 million in annual revenue, businesses that do not sell personal information, and businesses that collect only a limited amount of personal information.
Exempt consumer data types include:
The CCPA provides some leeway for businesses to comply with the law, including partial exemptions for business-to-business contact information handles solely in the context of due diligence. However, it’s important to note that the law applies to all businesses that collect the personal information of California residents.
People often refer to CCPA as California's GDPR. However, that's not accurate. Aside from protecting the rights to data privacy for EU citizens, the General Data Protection Regulation has several significant differences from CCPA:
Businesses violating CCPA are notified by regulators and are given 30 days to fix the issue. If it isn't resolved within that time, the business is fined:
CCPA also allows consumers to file a private right of action if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to the business' violation. This means individual consumers can sue businesses for damages, which can be costly. In addition, the attorney general has the right to file a civil action against companies for law violations.
Beyond penalties and lawsuits, you'll also face other breach-related costs. These can include notifying consumers of the breach, providing them with credit monitoring services, and dealing with the fallout from a PR and reputational perspective. As consumers become increasingly aware of their data privacy rights, they are more likely to take action against companies that violate them.
All these costs can quickly add up, underscoring the importance of CCPA compliance. Understanding the law and taking steps to comply can help protect your business from costly penalties and reputational harm. With so much at stake, businesses must understand CCPA and take the necessary steps to ensure compliance.
CCPA compliance is no easy feat, but companies can take a few steps to ensure they comply with the law.
CCPA applies to any for-profit business that does business in California and meets one or more of the following criteria:
If CCPA applies to your business, then you need to take steps to ensure compliance.
CCPA defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
These include names, addresses, email addresses, phone numbers, social security numbers, driver's license numbers, and more. Once you've identified the personal information you collect and store, you must protect this information.
CCPA requires businesses to take reasonable security measures to protect consumers' personal information from unauthorized access, destruction, use, modification, or disclosure. This includes encrypting personal information and ensuring that only authorized employees have access to this information.
The CCPA gives consumers the right to know what personal information is being collected about them, the right to know how this information is being used, the right to have this information deleted, and the right to opt out of data sharing.
You must ensure that you have policies and procedures to address these rights. This includes ensuring your business has a data retention policy defining how personal information is collected and used, and ensuring consumers can exercise their rights under the law.
CCPA compliance is a team effort. It is essential to involve all teams and departments in the CCPA compliance process, from the IT department to the marketing department.
Each team will have different CCPA-related responsibilities. For example, the marketing team will need to ensure that they're not collecting or using personal information in a way that CCPA prohibits. The IT team will need to ensure that personal information is properly secured.
Develop a CCPA compliance plan that includes the compliance steps your business has adopted, who’s responsible for CCPA compliance, and how compliance will be monitored. It's important to note that CCPA is a fluid law. It's constantly evolving, and new regulations can be added anytime. As such, it's important to regularly review your CCPA compliance plan and ensure it's up-to-date.
As you prepare to become CCPA compliant, you can expect disruption at all levels of the organization. To ensure a successful CCPA rollout, it's important to establish a designated task force responsible for developing and implementing the CCPA compliance plan. The task force should also be responsible for educating employees about CCPA and ensuring that all employees know their obligations under the law..
Once you've developed a CCPA compliance plan, you must implement CCPA compliance policies and procedures. These policies and procedures should be designed to help your business comply with the law. Items to incorporate into your CCPA compliance policies and procedures include data retention policies, opt-out processes, and training programs.
CCPA regulations apply to California residents. However, if your business also serves clients outside the state, it doesn’t make sense to have separate security frameworks. It’s easier and less risky to if you also serve clients from outside the state or plan to do so. Therefore, you should treat every customer like they are a California resident to ensure CCPA compliance.
This involves ensuring that all personal information is properly secured and that only authorized employees can access this information. It also includes ensuring that consumers can exercise their rights under CCPA, regardless of their residence.
By doing so, you'll insulate the company from the hassle of adjusting to security frameworks from other states as they're implemented.
CCPA compliance should not be viewed as a one-time event. Instead, it should be integrated into your company culture. CCPA compliance should be an ongoing process that's regularly reviewed and updated as needed.
One way to do this is to make CCPA compliance part of your employee onboarding process, ensuring that all new employees know and understand their obligations under the law and the value the company puts on compliance.
Employees play a central role in a business’s capacity to achieve and maintain CCPA compliance. Companies must take steps to ensure employees understand CCPA and how it applies to their job functions.
One way to do this is by conducting regular CCPA training for all employees. The training should be designed to help employees understand CCPA and how it affects their day-to-day work. By conducting routine staff training, you help ensure employees are always up-to-date on CCPA and that they understand their obligations under the law.
Monitoring CCPA compliance includes regularly auditing your privacy and information security framework, ensuring that consumers can exercise their rights under CCPA, and monitoring changes.
Put into effect in January 2023, the CPRA does not replace the CCPA; rather, it amends it in several key ways. One of the most significant is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA), which has the authority to investigate complaints, issue fines, and create regulations.
New rights in addition to those provided by the CCPA include:
Other key changes include:
With concerns about data privacy increasing, organizations can expect more regulations to come up and existing ones to be updated. That means adopting an even more proactive and robust approach to managing consumer data.
At Veritas, we understand that data compliance and governance can be intimidating, especially with emerging and evolving regulations. Our industry-leading solutions provide everything you need to comply with CCPA, streamlining regulatory compliance with a suite of specialized capabilities that allow you to gain greater visibility and control of data and regulations. You can easily capture, archive, and find relevant data from over 120 content sources, optimizing data compliance and addressing any loopholes in your data governance.
The CCPA is a groundbreaking law that gives consumers more control over their personal information by requiring businesses to take steps to protect sensitive data and allowing consumers to exercise their privacy rights, including the ability to opt-out of the sale of their personal information.
Contact us today to learn more about how Veritas can help keep your organization in compliance with CCPA and other regulatory laws.
Veritas customers include 95% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to protect large amounts of data.
Learn how Veritas keeps your data fully protected across virtual, physical, cloud and legacy workloads with Data Protection Services for Enterprise Businesses.