The following types of companies need to comply with the CCPA:
- Companies that exceed $25,000,000 in annual gross revenue;
- Companies that obtain the personal information of 50,000 or more California residents, households or devices per year; or
- Companies that obtain 50% or more of their annual revenue from selling the personal information of California residents.
The penalties for non-compliance with the CCPA are steep: $2,500 per violation and $7,500 per intentional violation of the law. The CCPA also allows consumers to sue businesses and collect from $100 to $750 in damages if their personal information has been breached due to the business failing to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the information.
- A description of the consumer’s rights and one or more designated methods for submitting requests to enforce those rights;
- A list of the categories of personal information that the business has collected about Californian consumers in the last 12 months;
- A list of personal information that the business has sold in the last 12 months by category. If the business has not sold any information in the last 12 months then this has to be stated as well; and
- A list of personal information that the business has disclosed to third parties in the last 12 months by categories. If the business has not disclosed any information in the last 12 months, then this has to be stated as well.
An IT perspective
As mentioned earlier, the CCPA affords Californians some new rights regarding their personal information. One of these rights is the right to access, meaning that a Californian resident can ask a business to disclose the categories and specific pieces of information that the business has collected about them. The business must deliver this information by mail or electronically, free of charge. If the information is provided electronically, it must be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance. When you think about where you and your staff store information, this seemingly simple task can all of a sudden become very overwhelming. Consider this: you may have personal information of customers on the backend of your website, in spreadsheets, in your accounting system, and in emails. In order to adhere to these requests quickly without exposing your companies security posture, it is crucial that you review your companies information management system in place. Many companies use this opportunity to review other policies because they have overlapping responsibilities such as Security Policy, Incident Response Plan, BC/DR Plan, Employee Handbook, and Employee IT Acceptable Use Policy. The CCPA also affords Californians the right to request that a business delete any personal information that it has collected from the consumer. Again, this can also be an overwhelming task if you do not have the proper infrastructure set up.
When one begins to discuss specifically consumer information, its easiest to break it down into sections and tackle the process section by section.
- Analysis and Requirements
- What data are we collecting?
- Why are we collecting it?
- Who needs access to it?
- How long do we need to keep it?
- What security standards or compliance requirements do we need to adhere to?
- What security standards or compliance requirements do our customers or vendors need us to adhere to?
- How are we collecting data?
- Where are we storing data?
- What technology controls are required to ensure integrity and backup of data?
- What processed do we need to change and document?
- What process and security training is needed for employees so that they can properly handle requests for information?
- Implementation of technology or process and gathering consumer data
- Install/modify the system for collecting data
- Information Management System
- Security Systems
- Proper logging, monitoring, and reporting
- Change and document processes
- Include new policy for information customers what data is being collected
- Include policy for handling a request for the information that was collected
- Include policy for requesting the deletion of data
- Training of employees
- Install/modify the system for collecting data
- Procedure walkthrough
- End-user and employee testing
- Security testing and validation
- Backup testing
- Removal of data
- How is IT handling data retention length?
- Is data being properly disposed of?
- Are there certification from your recycler?
- Scheduled review
- What needs to be fixed?
- What new requirements does the business have?
- What new security challenges are occurring?
- Implement changes
- Test changes
- Ongoing training
Start preparing now
About the authors:
Danny Poull, Data Solutions Architect for Wood Dale, IL-based CCC Technologies inc., and content contributor to this post is a veteran IT consultant with 13+ years of experience and over 10 certifications and a passion for assisting CCC customers to build IT management solutions. Danny stays up to date with security and business trends that impact businesses on a large scale by attending conferences, participating with CompaTIA, and attending training as well as talking to businesses directly about the challenges they face. He then helps those businesses design an IT solution to meet those needs.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.