While you may have heard of CCPA, the California Consumer Privacy Act of 2018, it can be hard to know what it means for your organization. In particular, what does it mean for your organization’s security practices?
Like GDPR (General Data Protection Regulation) before it, which despite being an EU regulation changed practices around the world, CCPA affects more than California. It’s something that all organizations around the world will need to pay attention to and comply with.
To help ensure you have the right strategies in place, this post runs through what CCPA means for your security practices, starting with what CCPA is.
What is CCPA?
As I mentioned, CCPA stands for the California Consumer Privacy Act. In short, CCPA strengthens the privacy rights and protections of consumer data in California. While the protection specifically refers to California, we all know the impact the internet and globalization has had on the distribution of consumers. The Act will have ramifications around the world. If your business has any potential to deal with clients, users, stakeholders, or any other type of consumer in California, you’ll need to pay attention.
Consumer data rights under CCPA
There are five key rights to keep in mind when considering the CCPA.
- Organizations must disclose the personal data they collect about the consumer. This includes data that is used, sold, or shared in any way. This includes who the business is sharing the data with or selling it to. In addition, organizations must inform consumers about the categories of personal data they collect and the purposes they have for collecting the data.
- Organizations must provide consumers an ability to access the data they collect.
- Users have a right to request that any and all data about them is permanently deleted. Third parties who have been sold or given access must also delete the data.
- Users must have an ability to opt out of the sale, sharing, or use of their personal data. The ability to opt out must be easy to find and use.
- Organizations must not discriminate against users based on their data and privacy decisions.
The Act itself is much larger than these five rights, but if you keep these in mind, you’re most of the way to understanding it.
But what does personal data mean?
At its core, the CCPA is about protecting consumers’ personal data. So, if you’re wondering what personal data entails, you’re asking the right question.
In an effort to be as broad as possible, the Act defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It provides examples including standard identifiers, such as “real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, [or] passport number.” In addition, it lists other possible identifiers, such as biometric information; browsing and network history; geolocation data; audio, visual, thermal, or similar information; professional or employment-related information; and education information. This includes information that the user provides by and information that is inferred or calculated.
As you might imagine, the examples I’ve given are only a small part of the picture. If in doubt, consider it to be personal information.
Do I need to comply?
I’ve mentioned a couple of times that while the CCPA is specific to California, it will affect business around the world. As it stands, there are three thresholds that have been defined. If your organization meets any of the thresholds, you must comply.
For-profit businesses that do business in California, who in any given year:
- Collect, share, or otherwise disclose personal information about 50,000 or more Californian residents, devices, or households
- Make 50 percent or more of their annual revenue from selling personal information data about Californian residents
- Have an annual gross revenue of more than $25 million
The Act specifically targets for-profit businesses. Non-profits and smaller organizations that don’t meet any of the thresholds do not need to comply. However, if you have any doubt, it’s best to err on the side of caution.
When did it come into effect?
The CCPA went into effect on January 1, 2020. Organizations had a six-month grace period to adapt their business practices. The law, and associated penalties, is enforceable as of July 1, 2020.
So far, we’ve been talking about privacy. But there’s another aspect to this legislation.
What does this mean for security?
As is often the case, privacy and security go hand in hand. Both have a large overlap around caring about how data flows through your applications and systems. You’ll need to do a few things to ensure compliance. Even if you don’t think you meet any of the thresholds, it’s always a good idea to review security practices.
Review your data and how it moves
How much do you know about the data that moves through your business? Before you get anywhere with CCPA compliance and your security practices, you’ll need to review your data. Check all your data points and data flow, categorizing it as containing personal information and updating associated documentation. Consider questions such as:
- Do you know all the ingress and egress points?
- Do you know which data stores contain personal information?
- Who do you share the data with?
- How much of the data can users currently access?
- Which staff members have access to the data, and how do they use it?
Once you’ve reviewed your data, you’ll be able to tackle your security practices.
Store data securely
After you’ve reviewed your data to categorize, document, and label it, the first action to take is to ensure you store it securely. The three easiest things to do are to encrypt your data, ensure there are safe backups, and keep things simple. For more of an in-depth look, consider the best practices in this post.
Check your practices and software
Now that you have a good sense of how data flows through your organization, applications, databases, and more, you’ll want to ensure that you’re protecting it as well as you can. Something like Sqreen’s user monitoring can help here.
Of course, security practices don’t remain static. If they did, I wouldn’t be writing this post, and you certainly wouldn’t be reading it. That means it’s important to regularly review your security practices. How often you do so depends on your company. Kicking off and scheduling security testing sessions is a great way to get started.
As part of that, you’ll review the internal and third party applications you use throughout your organization, but it’s important enough to mention it here as well. Your data is also used by internal and external apps your company uses. Make sure that anywhere your user data flows through complies with CCPA, and make sure you regularly update everything.
Prepare for user requests
A major component of CCPA is that users control their personal data. Do users have a way to easily opt out of data storage? Do users have a way to request access to data that’s not immediately available? How long does it take to prepare a report? Is the process automatic or will staff need to perform certain actions? (Hopefully, it’s automatic.)
This is where your earlier categorization becomes vital. Remember how broad the definition of personal information was. If you don’t have them already, now’s the time to add required links and contact options.
Communicate with third parties
I mentioned this earlier with the software checks, but it extends beyond that. If you’ve identified any third parties that you share data with, or if there are any third parties that share data with you, contact them to discuss compliance. Are they taking as much notice as you are? If not, direct them to this post.
Key to this point is whether you have a strategy in place to ensure data is removed at a user’s request. It also extends to understanding what data third parties have about users. Remember that personal information includes calculated or inferred data.
Make a habit of deleting user data you don’t need
When it comes to reducing security risks around data, there are few things as vital as making sure data is no longer available. If the data isn’t there, nobody can breach it. If you no longer have use for data, delete it. It’s as simple as that.
Update your public security policy
In a previous post, we’ve discussed what a public security policy is and why you should have one. In short, the policy outlines the actions your organization will take to protect customer information and address security concerns.
When considering CCPA, you’ll need to review your policy and make sure strategies and steps you outline are compliant. This may mean adding information or clarifying points in the document, such as who has access to data and what personal information is collected, calculated, and inferred.
Educate and communicate
No matter how strong you make your security practices, they’re useless if people don’t understand them. Educate your employees about CCPA and any changes you’re making. Make sure they understand what the changes mean, how to handle aspects that relate to them, and who to talk to when they’re not sure. Augment this with clear policies and procedures they can follow. While you won’t be able to foresee every possible scenario, you can rest assured that the communication pathways are open if something unexpected does come up.
Security is hard. And it’s something you don’t want to mess up. Sqreen has a range of tools that can help you improve and evaluate your security practices. If you’re in doubt about any of the steps or information in this post, or you just want to double- and triple-check, let Sqreen help you better prepare your business for CCPA.
This post was written by Michael de Ridder. Michael has worked in software development, data visualization, data science, research, consulting, and business analysis across healthcare, telecommunications, radio and finance. He enjoys the challenge of combining and utilizing the relationships between different domains and technology. A big fan of travel, Michael is a proponent for the benefits of work-life balance, believing that time away from a subject allows creativity to flourish.