Following extensive media coverage of the Facebook-Cambridge Analytica scandal, the Equifax data breach, and countless other known data breaches, consumers have become more aware of how their personal data is being used and misused by companies.

In 2016, the European Union passed the General Data Protection Regulation (GDPR) which aims to protect consumer data and privacy. In the United States, no such national law exists.  In the absence of comprehensive consumer privacy legislation at the federal level, California assembly member Ed Chau filed Assembly Bill 375, which later became the toughest, most extensive privacy law in the nation—the California Consumer Privacy Act (CCPA). “California took a historic step in enacting legislation to protect children and consumers by giving them control over their own personal data. Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice,” assembly member Ed Chau said when the CCPA bill passed. 

This is a welcome change for consumers, but what does all this mean for businesses? 

Good question. Businesses and industry groups have often complained that the CCPA as written is vague and in some areas inconsistent with current laws. Recent guidance and amendments in October 2019 have helped clarify those ambiguities and remove inconsistencies in the law. But with ever-changing definitions and duties, businesses are now in a race against the clock to implement a compliant privacy program before the CCPA and it’s amendments go into effect on Jan. 1, 2020. Realizing that cobbling together a privacy program in-house could leave businesses at risk, many are turning to consultants, services providers, and software vendors to ensure compliance with the law.  

What exactly is CCPA and who does it apply to?

The California Consumer Privacy Act (CCPA) is a privacy and consumer protection law that gives California consumers more control over the personal data that companies collect, sell, and share. Consumers will have access to data related to what personal information is being collected and what information was shared or sold, and to whom it is sold. Individuals will also have the ability to opt out of the collection and sale of their personal data and, by law, will not be discriminated against for requesting this information or for opting out of data collection. 

The CCPA applies to for-profit businesses operating in the state of California that meet one or more of the following requirements:

• • Have gross annual revenues in excess of $25 million 
  • Annually buy or receive personal information of 50,000 or more consumers, households, or devices
  • Derive 50% or more of its annual revenues from selling customers’ personal data

The CCPA does not apply to consumer data collected or sold wholly outside of California, nor does it apply to non-profit organizations.

Know where your company stores consumer data

To comply with the CCPA, it is necessary to know where your company stores its consumer data. Many companies accomplish this by completing  a data inventory, followed by a data flow inquiry to understand how the data is used within and outside of the organization. 

Questions companies should be able to answer include: where consumer data is obtained and stored, and whether it should it be secured; if the consumer data is meeting CCPA requirements upon collection; what kind of consumer data is it and for what business purposes is it used; what third parties have access to the data and how do they have categorize it; and if the data needs to be encrypted, redacted, anonymized, or disposed of.

Types of personal information data protected under CCPA:

Consumer data that is protected under the CCPA includes:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Biometric information, including an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, faceprints, a minutiae template, voiceprints, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information.
• Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.

• • Geolocation data

• • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information that is not publicly available.
  • Education information that is not publicly available.
  • Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
  • “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
  • Historical data; consumers have the right to access data dating back to the last 12 months.
  • Category types of data collected on consumer and sold or shared to third parties.

Anonymize any consumer data you can

Some good news -- de-identified, anonymized, or aggregate data is not subject to the CCPA. Where feasible for your business, reduce the amount of personally identifiable information (PII) stored on your systems. 

Data de-identification, or data anonymization, includes deleting personal identifiers such as names and quasi identifiers like dates of birth. The CCPA prohibits de-identified data from being re-identified and requires controls to ensure that attempts to do so are prohibited.

Encrypt, mask, pseudonymize, and redact what consumer data you must keep.

What is encryption? Besides being being your saving grace regarding CCPA legislation, encryption is a way businesses can convert their sensitive data into code, making it unreadable to anyone except those given the decryption keys.

The CCPA explicitly calls for companies to encrypt personally identifiable information (PII) held on consumers. This is to prevent usage in the event the data is unlawfully hacked, leaked, stolen, or disclosed. To meet these requirements, encryption software uses cryptography to mask files, text, and data, protecting information from undesired parties. Encrypted data is transcribed into ciphertext where it becomes unusable to those without an encryption key to decrypt the information. Companies utilize these tools to ensure their sensitive data is secured even in the event of a breach. 

Data masking, or data obfuscation, is a strategy to prevent misuse of data by employees or insider threats. The consumer data retains its identifying features like age range and zip code for example, but removes identifying information such as name, addresses, phone numbers, and other sensitive data. This allows the company to use realistic data for testing and development, without exposing personally identifiable information to everyday users. Data-masking software protects an organization’s important data by disguising it with random characters or other data so that it is still usable by the organization but not outside forces.

Data redaction is a method where information is retained, but only visible to users with the right permissions. For example, instead of showing a non-privileged user a consumer’s Social Security number, the non-privileged user would see xxx-xx-xxxx.

CCPA compliance software 

What kind of software are companies using to comply with the CCPA? Short answer, a whole slew of data protection software and services, including: 

So, is the CCPA a cybersecurity law? 

In short, yes. The CCPA is both a consumer privacy law and a cybersecurity law, as it is prescriptive on how companies must secure consumers’ personally identifying information (PII) and related data in the event of a data breach. Specifically, the CCPA calls out the need to encrypt and anonymize identifiable consumer data to avoid fines. 

Data breaches & consumers’ legal recourse

Didn’t bother to encrypt your sensitive consumer data? Get ready to shell out some cash. Consumers have legal recourse if they discover plain-text, non-encrypted, or non-redacted consumer data was hacked, stolen, or otherwise disclosed due to the business’ inability to maintain reasonable security protocols. Consumers must notify the business of the disclosure of their personal data and businesses have 30 days to remedy the issue. If the issue is not satisfactorily remedied at that time, consumers may notify the Attorney General (AG) and the AG will determine if they will prosecute the business. If the AG finds the company intentionally violated CCPA provisions, the company may be liable for civil penalties of up to $7,500 for each violation. If the AG does not prosecute within 6 months, consumers can take civil action to recover damages in the amount of no less than $100 and no more than $750 per incident, may ask the courts for injunctive or declaratory relief, or any other relief deemed proper by the courts.

CCPA Amendments

Businesses have long argued that the CCPA has vague compliance guidance, that the timelines are unachievable, and that it contains conflicting obligations to consumers based on existing laws. On Oct. 11, 2019, several amendments to the CPPA were passed to provide clarification, address incongruencies, and provide compliance timeline extensions to certain groups.

A look ahead at future privacy regulations

The CCPA is just the beginning. Looking ahead, businesses should expect a patchwork of privacy regulations in the coming years. Over half of U.S. states brought forth some type of consumer privacy legislation in 2019, but many of those bills did not pass to become law (yet). States including Connecticut, Louisiana, and Texas passed legislation setting up a consumer privacy task forces to study the issue. 

A patchwork of state-based privacy regulation will make achieving compliance even more difficult. Privacy legislation has been discussed at the U.S. federal level to supersede states’ legislation, but bills have stalled in Congress. Regardless, businesses can expect more data privacy regulations in the near future. Begin preparing your business strategies to adapt in a changing legal landscape.

*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*