Understanding Compliance: California Consumer Privacy Act
By now, you’ve likely heard of the California Consumer Privacy Act, or the CaCPA or CCPA for short. This law is intended to provide California residents with greater control over their personal information when it takes effect on January 1, 2020. As with most new compliance mandates or regulations, you are likely asking, “will this law apply to my organization?” And if so, “how do we become compliant?” Now is the time to determine the answer to both of those questions – well in advance of the January 2020 enforcement date.
Who must comply?
The first question is the easiest to answer. The CCPA applies to entities that do business in California, collect the personal information of California residents, determine the purpose and means of processing that data, and meet at least one of the following criteria: have an annual gross revenue greater than $25 million; receive or share the personal information of 50,000 or more California consumers, households, or devices; or lastly, derive at least 50% of their annual revenue from selling consumers’ personal information.
While these criteria are fairly straightforward, it’s worth noting the reference to the personal information of California “consumers, households, or devices.” This is a much broader definition of personal information than we have seen in other privacy and data protection regulations and it potentially makes the 50,000 threshold fairly easy for an organization to cross.
Begin your CCPA compliance now
If your business meets the criteria described above, it’s important to begin developing a CCPA compliance plan now, even though the law doesn’t take effect until 2020. While the CCPA is not quite as burdensome as the EU’s General Data Protection Regulation (GDPR) – it doesn’t require the appointment of a data protection officer (DPO) or conducting data protection impact assessments (DPIAs) for example – it is similar enough to the GDPR to know that undertaking and implementing a CCPA compliance effort will take considerable time and resources. The good news is that if your organization has undertaken steps to comply with the GDPR, much of that effort will also be applicable to the CCPA. Alternatively, if you have ignored the GDPR up until now, the CCPA should serve as a warning that the ongoing global rise in privacy regulation is now beginning to permeate the United States.
Perform an individual rights gap analysis
One of the GDPR compliance obligations organizations have most struggled to meet is the requirement to appropriately respond to the rights exercised by individuals with regard to their personal information. Many of the rights granted to California residents under the CCPA are similar to those afforded EU citizens under the GDPR and the ability to comply with requests related to those rights can require significant modifications to your business’s processes and systems.
For example, under the CCPA, a consumer has the right to request access to the information a business may have about that individual. The business must provide that consumer with details about the collection, sale, and sharing of his or her personal information within 45 days. If the request for access was made electronically, the business must provide the data in a portable and “readily useable format.”
Similarly, consumers can request that a business delete their personal data. There are certain exceptions under which a business can deny the request such as the performance of a contract, but if one of the exceptions does not apply, then the business must be prepared to honor the consumer’s request. The sooner you can identify the systems that are involved in responding to these consumer requests and the impact honoring the requests will have on your business, the sooner you can identify gaps in your current processes and procedures.
Update your privacy notice
If you have a privacy notice on your website (and you should), the CCPA requires all businesses that are subject to the law include a description of California consumer privacy rights on that page, as well as a “clear and conspicuous link” titled “Do Not Sell My Personal Information” that provides the consumer or their representative the ability to opt out of the sale of the consumer’s personal information. The consumer must be able to understand their rights and know how to exercise them, as well as be informed of the categories of personal information the business is collecting, selling, or sharing. These requirements are similar to those in the GDPR requiring “concise, transparent, intelligible and easily accessible” communication with data subjects, but unfortunately the requirements under the CCPA are specific enough that updates to your privacy notice will be required to be compliant.
One interesting option provided by the CCPA, is that a business may maintain a separate webpage dedicated to California consumers that includes the required link and text, rather than updating existing pages, provided the business “takes reasonable steps” to direct California residents to the dedicated page. This is a potentially feasible option at the moment, but as additional states follow California’s lead and implement data protection laws of their own, maintaining multiple state specific pages is likely to become unwieldy.
Create or update existing data maps
While it’s not specifically called out in the CCPA, you should have inventories of the personal information your business collects on consumers, as well as maps showing how the data is processed and stored. You can’t effectively respond to requests by California residents to access or delete their personal information if you don’t know what systems contain the data. Additionally, you can’t effectively protect what you don’t know you have.
Take a data-centric approach to security
One of the goals of the CCPA along with the GDPR and other privacy regulations, is to ensure that individual’s personal information is adequately protected. The CCPA specifically allows California consumers to pursue legal action against companies in the event of “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” Consequently, one of the first steps you should take is simply to minimize the amount of personal information your business collects and stores. The second step you should consider is deidentifying the remaining personal data as much as possible.
The CCPA encourages organizations to deidentify the personal information they collect. Like the GDPR, the CCPA makes specific references to pseudonymization as a deidentification technique. In fact, the definition of pseudonymization in the CCPA closely resembles the GDPR definition:
“Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
Stated another way, pseudonymization is the replacement of sensitive or identifying data with mathematically unrelated values such as a pseudonym or token. Pseudonymization can be performed in such a way as to maintain much if not all the business utility of the data, while protecting the data from unauthorized access, disclosure, or compromise in the event of a breach.
Now is the time to act
Don’t let the January 1, 2020, enforcement date for the CCDA dissuade you from beginning your compliance efforts now. There is enough commonality between the CCDA and the GDPR for privacy and data protection experts to know and warn that you can’t achieve compliance with the CCDA overnight. One of the best places to start is by securing the personal data your organization holds. Utilizing a technology like pseudonymization will allow you to protect the sensitive data in your organization while meeting your compliance obligations under laws in multiple jurisdictions.
TokenEx is a company founded on the principle of safeguarding our clients and their partners against the inherent risk of storing and sharing sensitive information. Utilizing our industry leading data protection platform, TokenEx clients pseudonymize identifying elements of the personal data in their environments through cloud-based tokenization, thus enabling them to demonstrate data protection by design and by default, as well as implementation of appropriate technical measures. TokenEx enables our clients to outsource their risk to us, while lowering their data protection compliance obligations. Learn more at TokenEx.com and follow us on Twitter and LinkedIn.
John Noltensmeyer, CIPP/E/US, CIPM, CISSP, ISA is the Privacy and Compliance Solutions Architect for TokenEx. TokenEx is the industry leader for tokenization, encryption, and data vaulting.