Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

California Consumer Privacy Act (CCPA) Compliance Guide

Compliance & Regulation

illustration of CCPA: California with a web browser and lock

The California Consumer Privacy Act (CCPA) is “the first consumer privacy act in the country,” as one California legislator put it.  No other US state has provided its citizens with  GDPR-like protections, which include a transparency right that requires companies to inform consumers about the data collected and shared, and gives them a right to access,  to delete, and to opt-out. Read on to learn more about meeting compliance requirements, preparation as well as the precedent that the CCPA sets.

What is the California Consumer Privacy Act?

CCPA California Consumer Privacy Act definition

The CCPA is a law designed to protect the data privacy rights of citizens living in California. In short, the law forces companies to provide more information to consumers about what’s being done with their data and gives them more control over the sharing of their data. The real issue that the law addresses is that most consumers don’t realize that their personal information is being shared or sold to others. This act ensures that they are given the chance to opt-out of having their information used in a way that they disapprove of.

When Does the Legislation Go Into Effect?

The CCPA has been a long time coming. The legislation was originally approved by Governor Brown in June of 2018 and is set to go into effect on January 1, 2020. In the last few months, there were several amendments kicked around by the legislators (see below). The law was finalized last month but with a few minor tweaks. Employers can breathe a sigh of relief with a last-minute change to the bill excluding employees from the CCPA — i.e., consent rules and right to delete won’t apply to workers.

Who Does the CCPA Affect?

Who the CCPA affects

The CCPA covers any “business”— for-profit legal entity — that collects and sells consumer “personal information”. There are a few exemptions that we need to get into. The legislators set a minimal bar in terms of revenue and the number of consumer records being processed for the CCPA to kick in. A company has to meet one of the following for the CCPA to apply:

  • Have $25 million or more in annual revenue; or
  • Possess the personal data of more than 50,000 “consumers, households, or devices” or
  • Earn more than half of its annual revenue selling consumers’ personal data.

So far so good. If you read more of the fine print of the CCPA, you’ll notice the California lawmakers wanted to exempt certain health and financial companies that are already under federal data security laws. So the CCPA doesn’t apply to:

  • Health providers and insurers already under HIPAA
  • Banks and financial companies covered by Gramm-Leach-Bliley
  • Credit reporting agencies  (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act

Important CCPA Definitions to Understand

Like the EU General Data Protection Regulation (GDPR), the CCPA gives consumers important new rights: a right to knowing (or “transparency”) about how the data is being used, a right to access, and a right to opt-out of having their data sold (opt-in for minors) to third parties.

In short, businesses have to inform consumers about categories of information that will be collected and the purpose for which it’s being collected — at or before the point the information is taken. So we can expect lots of emails from Californian companies about their data practices or more information provided on web forms in the coming months! Consumers can, of course, refuse consent.

But if the consumer agrees to the data collection, they have additional rights. They can make an access request for their personal information to find out in more detail about the specific pieces of information held by the business and the third parties that received their information. They also have a right to delete their information (with some exceptions).

One more point that is very important: if consumers exercise any of their rights, they can’t be discriminated against by being denied goods or services.

CCPA and Personal Information

The CCPA applies to personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In the world of data compliance laws, this’s about a broad as personally identifiable information (PII) gets. The words “relates” or “reasonably linked” open up a very large class of non-traditional identifiers — beyond name, address, social security number.

Just to make sure that companies have grokked what is going on, the legislators listed a few specific examples, including:

  • Email address
  • Online handles
  • IP address
  • Biometric information
  • Geolocation data
  • Browsing and search history

If you want to see the whole shooting match, here’s an excerpt from the actual bill:

CCPA screenshot of the legislation

How is the California Consumer Privacy Act Enforced?

The California Attorney General will enforce the CCPA. But there’s an interesting twist to enforcement. The CCPA provides for a “private right of action” in instances where there’s theft or disclosure of non-encrypted or non-redacted personal information.

Real-World CCPA Penalties

In plain English, this means that consumers and their private attorneys can bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater. Keep in mind that with statutory damages, consumers doesn’t have to prove that they incurred that actual financial loss, but only have to show  the company violated that law! Yes, the CCPA is a big deal for data privacy attorneys, and companies should be wary of the potential for class-action suits.

The Keys to CCPA Compliance

CCPS compliance tips for businesses

The CCPA is mostly about consumer privacy rights. There is, for now, a vague requirement for implementing reasonable security measures — this part may be made more explicit in the future.

CCPA Preparation

With that in mind, preparation for CCPA is not all that different from our advice for preparing for the EU’s GDPR — thought the GDPR certainly has stricter security requirements on the books. In fact, our GDPR white paper has a good overall plan for tackling the CCPA’s security and privacy requirements. If we had to summarize what you need to do in a few short sentences, it’s this:

Groundwork

  1. Identify and classify your data assets: find out where the CCPA personal information is located and whether the data is at risk by checking access permissions.
  2. Dig deeper into the CCPA personal data to identify those folders that are rarely accessed. Stale personal data serves little purpose and is an unnecessary security risk!

Implementation

  1. After analyzing the personal data and their permissions, put in place the right permissions. A very effective security measure is to limit data access to those who need it as part of their job or Role-based Access Controls.
  2. Archive or delete stale personal data.
  3. Implement a program to monitor personal data against outside threats and unauthorized access.
  4. Maintain the security and privacy of the personal data by continually reviewing the data and its permissions.

Maintain

  1. Be on the lookout for new cyber threats, and adjust privacy and security as needed.
  2. Return to step 1! You’re never really done with CCPA or any other kind of compliance standard – you’re always in some phase.

The CCPA also has requirements for consumer access and the deletion of their data. However, if you’ve done the work of classifying personal data, this step should not necessarily be a burden, particularly if you have the right technology.

Data Security in the CCPA and NIST CIS Framework

There are obvious parallels between the CCPA and the EU GDPR. A law firm has mercifully put together this chart comparing the two. One of the key differences between the CCPA and the GDPR is that the EU law has very strong data security requirements. The GDPR contains both data privacy and security rules, but that is not the case with the CCPA, which is focused on consumer privacy.

Over the last few months, there have been a few amendments kicking around Sacramento. One that caught my attention, AB-1035, adds very specific language about …  data security.

AB-1035 takes on the challenge of defining the well-known boilerplate phrase “reasonable security”, which is often found in state data breach laws but typically with no explanation attached to its meaning. This amendment boldly proposes the NIST Framework for Improving Critical Infrastructure Cybersecurity (CIS) and another NIST standard 800-171, which is a trimmed-down version of the encyclopedic 800-53, as a potential baseline security standard for the state.

This is a big deal: not even the EU GDPR explicitly refers to outside data standards. Alas, this amendment proved to be too radical for California: the CCPA was finalized on September 13, and the bill doesn’t include this particular amendment (for now). Oh well.

Let’s give California credit for considering the CIS Framework. In case you’ve forgotten, a framework is not the same as a security standard. Instead, it’s a kind of meta-standard, which provides a list of meta-security controls that map into real security controls within existing data standards.

The CIS Framework supports mappings into, not surprisingly, NIST 800.53, and the other usual suspects, including COBIT 5, SANS CCS, ISO 270001, and ISA 62443.

The big idea behind the NIST CIS Framework is that companies that are already following existing data security standards can continue to do so. They simply examine the parts of CIS they’ve covered, and then fill in shortfalls as needed. The CIS Framework as a legal basis for compliance makes good sense since it doesn’t penalize companies for having a  data security programs currently in place!

The Future of Data Privacy and Security: CCPA’s Legacy

The CCPA is already making waves. With Washington still not providing leadership at the federal level, it’s not surprising that other states have taken a cue from California and drafted their own privacy laws. There are already several CCPA copycat laws from New York, Massachusetts, Maryland, North Dakota, and other states. And if you look at a recent proposal from US executives for a federal privacy law, it bears more than a passing resemblance to the CCPA.

Change is coming, whether from your own state or eventually at the federal level. Companies should play it smart, by aligning their data security and privacy practices with the CCPA. Specifically, they should have programs and technologies to classify personal data, protect it, and then constantly monitor and analyze for threats.

How does Varonis help with the CCPA?

We at Varonis have a history helping companies comply with various data security laws and compliance standards (PCI DSS and many others). You can read more about how we help in this fascinating series of blog posts on this very subject.

But here’s a quick tour of the Varonis approach to compliance. DatAdvantage reports can help IT staff spot and index folders containing sensitive CCPA data. Digging deeper with DatAdvantage, they can find those folders that have broad permissions – say “Everyone” access.  DatAdvantage reports also can help IT groups track who’s accessing the files containing CCPA data.

They can then can move to the next phase and use DatAdvantage to work out the actual data owners of the folders — those who are the business users best suited to know who is authorized and who should be dropped. DatAdvantage can help in this process through automated recommendations for group ownership, and can also automatically adjust access rights. DataPrivilege then keeps the data owners in the loop by directing future access requests from users directly to the better-informed owners.

DatAlert is our always-on monitoring software that detects and alerts IT, staff when there are signs of unauthorized access, malware usage, or other unusual activities. With IT alerted, they can respond to a potential attack and take appropriate actions — deactivate accounts, quarantine files, etc.

Finally, to handle a CCPA consumer request for data, DatAnswers can quickly find personal data and then allow the company to quarantine or delete the information.

Want to learn more?

Find out how Varonis can help you prepare for the CCPA by taking a custom product tour with one of our security engineers.

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.