18 Sep, 2019

Are You Ready for the CCPA?

  • Nipuni Paaris
  • Software Engineer - WSO2

Over the past few years, consumer data protection and privacy has become a hot topic in the consumer identity and access management (CIAM) domain. Owing to numerous new ways to aggregate personal data and the development of powerful analytical tools, the financial value of consumer data has skyrocketed within a short period. But, at the same time, efforts to standardize and enforce data protection and privacy have taken the business world by storm, with the General Data Privacy Regulation (GDPR) leading the way. The emergence of European Union legislation for consumers’ privacy under GDPR has caused many businesses to rethink and redefine their CIAM strategies with respect to data protection and privacy.

The California Consumer Privacy Act (CCPA) is a mandate that will come into effect on 1 January 2020. It will be a major update to privacy law in California and will reform the consumer rights of Californians. This article will walk you through what the CCPA is and how it affects the way companies handle personal information of California residents. Before digging deeper into what the CCPA is, let's examine why California is great for business.

Too Many Reasons Why

  • California is considered the most populous state in the US, with nearly 40 million residents (more than Canada’s population).
  • It has an economy of $2.7 trillion, which is the fifth-largest economy globally (only behind the US, China, Japan, and Germany).
  • Three of the ten largest cities in the US are situated in the state of California.
  • The headquarters of 49 Fortune 500 companies are located in California; it is also home to 10% of Fortune 1000 companies.

What is the CCPA?

The CCPA, which is also known as AB 375, is the most comprehensive privacy law in the country. Unless it is amended before its 1 January 2020 effective date, the law will be the strictest data privacy law in the United States and will require data privacy protections and requirements similar to or broader than those imposed by the General Data Protection Regulation (GDPR). The CCPA gives consumers more control and power over their personal data.

California has a largely tech- and innovation-driven economy. Major California-based tech companies — such as Apple, Google, Facebook, and Youtube — will have far-reaching consequences under the CCPA. However, compared with its Europian counterpart, the CCPA has certain criteria to define businesses that fall within its scope. The new law applies to any organization that collects personal information of consumers and does business in California. Also, any for-profit business that meets at least one of the following thresholds will have to comply with the new regulation:

  • Has annual gross revenue in excess of $25 million.
  • Annually buys, sells, or shares personal information of 50,000 or more consumers, households, or devices.
  • Earns more than 50% or more of its annual revenue by selling personal information of consumers.

Consumer Rights Under the CCPA

  1. The Right to Access Personal Information (PI): This means that residents of California have the right to know what categories of personal information a business organization collects and shares with other entities. Consumers also have the right to request specific pieces of information that the organization has collected.
  2. The Right to Have PI Deleted: Consumers will be able to request that a company delete the personal information it has collected about them.
  3. The Right of Disclosure: Companies collecting consumers’ personal information for commercial purposes (sell or disclose to a third party) shall disclose the categories of PI collected, the sources through which the PI was collected, the purpose for the collection, the entities which the PI was shared with or sold to, and the specific pieces of PI that was collected or sold.
  4. The Right to Opt-out and Opt-in: Consumers will be able to direct a company to not sell their personal information to third parties.
  5. The Right to Non-discrimination: Consumers have the right to not be discriminated against exercising any of the rights provided by CCPA.

Financial Risks of Non-compliance

Once notified of a violation, a covered business will be given a 30-day window to comply under the CCPA. Non-compliance will lead to a civil penalty by the Attorney General and up to a $2500 fine per violation (on a user basis) or $7500 per each intentional violation.

The legislation also grants consumers the right to take private actions against covered businesses that fail to adhere to the regulations under the CCPA. Such civil cases can result in up to $750 in damages per consumer per incident or actual damages, whichever is higher in case of a data breach.

At a glance, these numbers may seem insignificant. But, typically, most data breaches involve hundreds and thousands of records. In such a situation, the cost of a lawsuit could be extensively high.

Compliance Initiatives to Prepare for the CCPA

  • Update the organization’s current policies and privacy notices to ensure compliance with CCPA regulations.
  • Deploy the right to access, delete, and stop selling data features in the system that process and store consumer data.
  • In order to enhance information security, conduct a thorough risk assessment and close medium-risk gaps.
  • Ensure employees who handle consumer personal information are trained to recognize and understand all the apposite regulations under CCPA.
  • Organize the organization’s data collection method, so that the reports requested by the consumers under the right of access can be provided more efficiently.
  • Ensure that external communications inform consumers of their rights under the CCPA, including how to make disclosure requests, whether PI is sold or disclosed to third parties, and the business purpose.
  • Update website homepages to include a conspicuous link titled “Do Not Sell My Personal Information”.

Organizations that actively conduct business in the state of California will need to adjust to CCPA requirements and will be required to comply with any and all provisions outlined in the final version by 1 January 2020. Achieving compliance is likely going to take much longer than one might think and the countdown to CCPA implementations has already begun. Thankfully, we still have enough time, and it is still possible to meet the deadline.

In the meantime, there will be possible amendments to the current provisions, with removals or additions to the legislation. Therefore, it is crucial that all businesses work hard towards achieving the CCPA requirements. Companies should stay up to date with new data privacy regulations in order to provide better customer service and ensure the security of personal information. This will lead to growing consumer trust and loyalty, which, in turn, will construct a competitive advantage for any organization.

Now that we have gained a fundamental idea of the new regulation, let's explore the role of the CCPA in the IAM domain.


About Author

  • Nipuni Paaris
  • Software Engineer
  • WSO2

Nipuni is a Software Engineer based at our Colombo office. She has a bachelor’s degree in Software Engineering from the University of Westminster, UK. As a part of her final year research project, Nipuni developed an automated resource analysis system to optimize project management.