CCPA Compliance Best Practices

CCPA Compliance Best Practices

The state of California pioneered privacy laws in 2018 with the ratification of the California Consumer Privacy Act (CCPA), granting California residents a new level of privacy and control over their personal data. In 2020, the California Privacy Rights Act (CPRA), also known as Proposition 24, was passed by California voters through a statewide ballot. The CPRA would amend the CCPA, expanding the provisions and requirements for compliance. In this article, we’ll explore the CCPA and the changes brought about by the CPRA while highlighting privacy best practices.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a California state statute passed in 2018 that granted Californians privacy protections over their personal data. The CCPA went into effect in 2020 and gave residents the following rights, as stated by the Office of the Attorney General:

  • The right to know what personal information (PI) a business collects about them and how it is used and shared;
  • The right to delete PI collected from them (with exceptions);
  • The right to opt out of the sale or sharing of their PI; and
  • The right to non-discrimination for exercising their CCPA rights.

Additional protections were provided through 2020’s CPRA, which went into effect on January 1, 2023, and applies to any personal data collected on or after January 1, 2022. The California Privacy Rights Act (CPRA) of 2020 would grant the following to California residents:

  • The right to correct inaccurate personal information possessed by a business, about them; and
  • The right to limit the use and disclosure of sensitive personal information collected by a business about them.

Under the CCPA, California consumers can make data privacy consumer requests to businesses that possess their personal information in order to exercise their consumer data rights. Crucially, businesses that fall under the CCPA cannot waive these rights and cannot make CA residents give up these rights. Companies in violation of the CCPA may result in the California Attorney General or the California Privacy Protection Agency (CPPA) taking action. Consumers can report businesses that are in violation of the CCPA as of July 1, 2023, by filing a complaint with the California Privacy Protection Agency for an incident occurring on or after that date.

The organizations that are subject to the CCPA must be for-profit businesses doing business in California. They must meet any one of the following criteria to be subject to the act:

  • Make gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

In the context of California’s data privacy law, “personal information” includes anything that identifies, related to, or could be reasonably linked with you or your household. “Sensitive personal information” is a subgroup of personal information that encompasses government identifiers; social security numbers; account authorization information; financial information (e.g., accounts, debit cards, credit card numbers with the required security code); geolocation; contents of physical mail, email, SMS, or text messages; genetic information; biometric information; health, sex life, or sexuality; union membership data; racial or ethnic information; and religious or philosophical beliefs. 

Personal information, in this case, does not include any publicly available information, such as real estate and property records. 

The CCPA created something of a ripple effect across the United States, leading other states to develop and pass their own privacy protection acts since there is no overarching federal data privacy law governing the US consumer privacy rights or protecting consumers’ personal information. The European Union’s General Data Protection Regulation (GDPR) covers all member states — one key difference between these policies.

What Does CCPA Cover?

The CCPA covers the consumer rights described above and gives companies some requirements for enforcing data privacy best practices. It gives California residents the option to sue businesses that experience a data breach under certain criteria. And there are potential fines for companies with intentional violations to the tune of $7,500 per record. Failing to guarantee subjects their consumer privacy rights and ignoring CCPA compliance can result in major fines and consequences for businesses that possess Californians’ data. 

Under the CCPA, data subjects can opt out of businesses selling or sharing their personal information. They can also request knowledge from the business about the categories and purposes, among others, for which personal information is being collected. The right to request deletion or erasure of information is another key component of the CCPA, although there are exceptions that allow businesses to retain PI.

Introduced by the CPRA, and taking effect in 2023 are the right to correct and the right to limit. With the right to correct, California consumers can request businesses to fix inaccurate information about themselves. The right to limit the use of personal information allows California residents to request that businesses only use their personal information for restricted purposes. The right to non-discrimination, appropriately, prohibits businesses from retaliating against consumers who exercise their privacy rights and submit the above requests.

Companies must also provide customers with information about their privacy practices and the data they collect and work within what is known as a “notice at collection.” Notices at collection must be obtained before or at the moment that data is collected from the subject. 

Establishing and publishing a privacy policy is another major best practice for businesses under the jurisdiction of the CCPA. Privacy policies should detail the data privacy rights of consumers and mechanisms for executing them. The following rights should be included in every privacy policy that addresses the CCPA:

  • The right to know,
  • The right to delete,
  • The right to opt out of sale,
  • The right to correct,
  • The right to limit the use and disclosure of sensitive personal information, and
  • The right to non-discrimination

Privacy policies should illustrate the privacy protection practices conducted by a company, as well as provide a broad overview of what the company does with personal information, from data collection to use, sharing, and sale.

While the CCPA covers most for-profit companies that do business in California, certain covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) may be exempt from the state’s privacy requirements. Covered entities that must comply with the HIPAA Privacy, Security, and Breach Notification Rules are exempt from CCPA as long as the organization appropriately protects protected health information (PHI) and electronic protected health information (ePHI). However, personal information that is not protected as PHI under HIPAA must still be secured by businesses that would otherwise be subject to the CCPA, such as credit card numbers.

Since 2018, the CCPA has evolved and changed to better reflect consumers’ data privacy needs and best practices. These changes could impact your organization’s privacy policies, privacy notices, and strategies.

What’s Changed with Requirements?

The evolution of data privacy regulations has necessitated amendments to the CCPA, most notably in the form of the California Privacy Rights Act (CPRA), taking effect on January 1, 2023. Data privacy rights and regulations have been deeply affected by the groundbreaking protections offered by the California Consumer Privacy Act, spurring other states in the US to release and ratify privacy laws of their own.

CCPA vs. CPRA vs. GDPR

The CPRA is an amendment to the CCPA and is effectively a part of the larger California Consumer Privacy Act. These two regulations are not separate, and should not be handled as such, or ignored in favor of the other. The CPRA grants two more privacy rights to California residents.

Likewise, while the CCPA and the EU’s General Data Privacy Regulation (GDPR) share many components and have similar purposes, the requirements under each are not the same. Companies must take care to identify their privacy compliance needs and requirements, and then adopt the policies and practices they need to satisfy regulatory obligations. Complying with both the CCPA and GDPR involves more than complying with one or the other.

Privacy Rights

Proposition 24, titled the California Privacy Rights Act (CPRA) of 2020 introduced more privacy rights to California residents. The act was passed through a statewide ballot measure and created the California Privacy Protection Agency (CPPA). 

The right to correct or rectify inaccurate personal information upon the consumer’s request was added to the law, giving individuals a means of fixing errors in data.

The right to limit the use and disclosure of sensitive personal information upon the consumer’s request was also added, allowing California residents to opt out of the disclosure of their PI and the use of their sensitive personal data. Californians can also request to have their data omitted from automated decision-making.

New Principles

The CPRA introduced new privacy rights for California residents, including the right to rectify and the right to limit the use and disclosure of personal information. It also extended the reach of the CCPA to apply to employees and partners, not only consumers. 

Additionally, the CPRA introduced augmented protections for minors. The legislation requires companies to obtain permission prior to collecting data from consumers under 16 and to obtain consent from a parent or guardian prior to collecting data from consumers under 13.

The CPRA bolstered enforcement of privacy laws with the creation of the California Privacy Protection Agency (CPPA). It empowered the CPPA and California District Attorneys (DAs) to enforce the CCPA. Previously the Attorney General was the only source of enforcement for the CCPA. Full enforcement of the amended CCPA plus CPRA began on July 1, 2023.

Furthermore, the CPRA removed businesses’ ability to remediate privacy violations before being penalized. Where once the original text of the CCPA allowed businesses to fix their violations within 30 days, the CPRA has since amended the law to eliminate that grace period.

These changes indicate and reflect Californians,’ and consumers’ desires for privacy and protection, and the value they place on keeping their personal information safe. Customers want businesses to take their data privacy concerns seriously and have gained rights to that end. Proposition 24’s intent and passage are evidence of increasing concern around data privacy.

CCPA: Where to Go from Here

Companies that fail to address privacy laws and demonstrate privacy protection best practices may face more than just fines and fiscal risk — the trust and reputation they’ve built may also be at stake. As consumers pay more attention to how their personal data is used, shared, and processed, businesses have a responsibility to address their data and privacy concerns. More than that, regulations like the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), the EU’s GDPR, and the other state-level privacy laws passed throughout the United States require most businesses and organizations to comply with certain privacy requirements.

Navigating singular privacy legislation can be enough of a challenge, let alone balancing and understanding the intricacies of differing privacy laws. Does your company meet all the privacy requirements it has to meet? Where are the gaps, if any, that need to be remediated? How can you coordinate privacy compliance efforts across global sites?

Compliance technology designed to address privacy frameworks and enable privacy protections can give you and your organization the edge you need to stay ahead of changing privacy regulations. From the CCPA to GDPR, collaborative and intuitive functionality allows your team to focus on the risks, controls, and evidence that really matters. 

AuditBoard’s CCPA Program unifies risks, policies, controls, issues, and best practices, giving your team a cohesive view of your organization’s privacy posture. AuditBoard’s platform allows you to coordinate between cross-functional stakeholders, untethered by geographical location, and upload evidence once, then associate it with many controls. Managing changes to privacy policies and collaborating to communicate changes is a cinch with real-time editing. Tracking and remediating issues gets centralized, providing a mechanism for prioritizing and tackling critical tasks.

Try AuditBoard today and see how we can help you manage your privacy program!

Kelley

Kelley Spakowski is an IT Risk and Compliance Specialist at AuditBoard. Kelley is the former creator and host of the GRC & Me Podcast, and an experienced GRC software and services solutions professional. Connect with Kelley on LinkedIn.