On January 1st, 2020, the California Consumer Privacy Act (CCPA) went into effect. The state’s new data privacy regulation has left many drawing parallels between it and the GDPR, the EU’s landmark regulation that went into effect in May 2018.
There are notable differences between the two laws, however, and those differences are worth a discussion. In a past blog, we explored the impact of the GDPR on crisis management and business continuity, so we’re going to do something similar for the CCPA. What does the CCPA mean for incident response and business continuity?
Understanding the CCPA
In a sentence, here’s a (somewhat oversimplified) description of the CCPA: A law that returns more control over private data to California residents/consumers.
How does the CCPA give consumers more power over their private data? It gives consumers more control over the private data by direct and indirect means.
The direct actions consumers can take are as follows:
- Request to see all the information a company has collected on them, and all third parties that information is shared with or sold to
- Opt out of the selling or sharing of private data by a company that’s gathered data on them to another company (third parties)
The CCPA indirectly protects consumers’ data by imposing data handling standards. If those are broken, then consumers have the right to file a complaint and be compensated by the company (either individually or part of a class-action lawsuit).
If regulators find a company in violation, and then the company fails to comply within 30 days of the notification, they are also subject to a $7,500 fine per record.
What companies must adhere to the CCPA? Any company that collects or handles the data of California residents and meets any or all of the below criteria:
- Companies with a gross revenue of more than $25 million
- Companies that buy, receive, sell, or share the personal information of more than 50,000 consumers, households or devices for commercial purposes
- Companies that make 50 percent or more of their annual revenues from selling consumers’ personal information
Companies don’t have to be based in California or the United States to comply, either. Entities that are controlled by, control, or share branding with qualified businesses also fall under the reach of the CCPA.
How the CCPA Defines Personal Information
The definition and concept of data is one of the most important talking points when discussing the relationship between the CCPA and its European cousin, the GDPR.
The CCPA defines data — codified as “personal information” — with more granularity than the GDPR (find the CCPA’s more specific definitions here). It wouldn’t be wrong to say the CCPA matches the GDPR in terms of types of data protected at a high level, however.
The GDPR’s definition of data — referred to as “personal data” — could be characterized as more abstract. The CCPA very clearly outlines what it qualifies as protected data. While the GDPR does in some sense, the language used has a more interpretive tone and purpose (which may be a tactic for forcing companies to handle all data responsibly, not just specific types). One key discrepancy between the two regulations, however, is that the Californian law also covers information tied to households and devices.
Data Breaches and Leaks
If a company doesn’t meet the requirements of the CCPA, their actions could be the cause of significant losses.
Companies can and should implement — if they haven’t already — processes that place them into the “CCPA compliance” box. Among those is providing consumers a way to exercise their opt-out rights and internal processes for handling CCPA-related inquiries from consumers and regulators.
Data security is a hot topic within this bill as well. Christina Hyun Jin Kroll of Proskauer wrote a great in-depth explanation for National Law Review on how the CCPA interacts with data breaches and leaks.
For a consumer to file a complaint, the data affected must qualify by the definition of personal information under the Californian data breach notification law, not the definition per the CCPA.
The data also must be non-encrypted and non-redacted.
The third reason — and the reason we’re approaching the CCPA from the perspective of business continuity and crisis management — is a breach must be the result of a business’ negligence in utilizing reasonable security measures necessitated by the nature of the information.
What constitutes appropriate security procedures and practices hasn’t been strictly spelled out within the context of the CCPA. In 2016, however, California’s then Attorney General Kamala Harris used the Center for Internet Security’s list of 20 Critical Security Controls in her 2016 Data Breach Report to effectively establish a minimum effort.
One of the Organizational Controls presented in that list is incident response and management, and it’s the reason why the CCPA has our interest.
Avoiding to Non-compliance
Those who already have a strong understanding of the CCPA might know that the simple instance of a breach may be enough to spur an influx of complaints from consumers and regulators (assuming that breach meets the criteria presented above). Incident response is still a critical piece of a breach, but does it prevent attacks and breaches?
The quick answer: No.
Thorough incident response planning and management will help a team and business get through a breach more efficiently, but in the context of the CCPA, it doesn’t mean a business won’t be subject to fines, paying damages, and/or compensating affected Californian consumers.
This fact shouldn’t put a halt to your business’ preparedness efforts. Having a plan to follow will reduce your business’ vulnerability. Plans make responses more efficient and guided, and close the downtime gaps packaged with crises.
Another pillar of preparedness and mitigation is business continuity planning. Tally the processes that ensure your business secures personal consumer information and maintains it. Protect the procedures that also play a role in your business’ CCPA compliance efforts, i.e., consumer requests to view and enact controls on their gathered data.
If something were to compromise any of these processes, your business can fall back on a business continuity plan (BCP) to get it back up and running. The same benefit of incident response planning — reducing the vulnerability and likelihood of your business mishandling consumer information — comes through in implementing business continuity plans.
When the GDPR was passed and enacted, many speculated it would be the first of its kind. The CCPA paid that bet out, and the odds favor clones and cousins of these watershed regulations being passed in other US states or countries in the future.
Security and business continuity are crucial for businesses vying to meet the asks of the CCPA (and future CCPA duplicates). The heavy repercussions the legislation demands only stress their importance more. Even without the law lording over a business, building these ideas and putting them to action won’t hurt and will add to the resiliency of your organization.