For the last few years, all countries have started to pay additional attention to the customers' private data and the ways businesses store and process it. Information security has become one of the most important trends in digital product development, especially in such a progressive area as fintech. In this article, I want to highlight the main points about the CCPA that companies should know and facilitate their becoming compliant with CCPA regulations.
What is CCPA?
The California Consumer Privacy Act is the US regulatory requirement that promotes the right to non-discrimination and enables consumers to gain insight into how their personal information is collected and used. In addition, they receive permission to opt-in, opt-out, access their data, and delete it from all sources that the business obtains. Basically, the CCPA prescribes more rights to the customer, all while extending authority to process and use data in case of explicit consent. The regulations have established procedures to formalize consumers' new rights and guide businesses on how to comply.
The General Data Protection Regulation (GDPR) is a European set of rules that has come into force on the 25th of May 2018 and is very similar to the California Consumer Privacy Act. However, California regulations not just empower customers to learn what data businesses are collecting but also vest them with the ability to stop the sale of their personal information.
The CCPA made many companies perform the data inventory and incorporate ‘Privacy’ by design practices.
CCPA updates: who must be compliant?
The law has established three primary thresholds, and each would trigger compliance requirements. The CCPA applies to all businesses in California that meet one or more of the following characteristics:
- 25M annual gross revenue;
- 50k customers, households or device records in the business databases;
- 50% or more of the yearly income comes from selling consumers' personal information.
However, if you can confidently calculate the number of Californian users in your database and you are sure that they account for less than 50% — you can ignore it. However, if you have at least a small doubt, it’s better to avoid any problems connected with any operation of your digital services in CA by becoming compliant. Not only the Government can chase the business. California is famous for its love for the courts. The CCPA allows any individual to file a suit against a company in case of misconduct with personal information or personally identifiable information.
To all intents and purposes, it’s better to act without prevarications and take the appropriate actions, as the CCPA novels are followed by the global trend.
What is personal information and personally identifiable information according to the California CCPA regulations?
First of all, let’s define three terms that are common and can be misunderstood:
- Sensitive information refers to personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information. Using these data or combining it with other patterns, a living individual might be identified. The CCPA 2020 introduces a definition of personal information to make it clear for businesses what they need to protect.
- The CCPA definition of personal information (PI) includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
- Personally identifiable information (PII) is a fact that can be used alone or with another data set to identify an individual. PII may contain direct identifiers (e.g., passport information) that can distinguish a person uniquely, or quasi-identifiers (e.g., IP address) that can be combined with other quasi-identifiers (e.g., location) to recognize an individual successfully.
Generally speaking, businesses need to protect a broad range of information about their customers. The definition of personal information in the California Consumer Privacy Act includes 11 categories, which can be summarized as follows:
- Identifiers: name, email address, postal address, unique personal identifier, IP address, account name, social security number, passport number, driver’s license number;
- Restricted information in customer records: signature, telephone number, employment, bank account number, credit/debit cards, medical information, health insurance information, financial information;
- Legally protected characteristics;
- Commercial purchasing information;
- Biometric information;
- Internet or network activity: browsing history, search history, information regarding a consumer’s interaction with websites, applications, or advertisement;
- Information typically detected by sensors: audio, electronic, visual, thermal, olfactory;
- Employment information;
- Inferences are drawn from any of the above and utilized to create a customer profile.
Special attention in the CCPA regulation is dedicated to businesses that collect personal information of minors. Such companies must obtain the affirmative authorization of the minor if he/she is 13-16 years of age. If the user is under 13 years of age, their parent or guardian must give the company consent to sell their personal information.
How to become a CCPA complaint?
The California Consumer Privacy Act 2020 requires qualifying businesses operating in California to take a number of compliance actions that go beyond standard business practices before the passage of the privacy law. New systems must be put into place to respond to requests from customers exercising their rights under the law. In general, compliance measures associated with the CCPA fall into four categories:
- Legal: Measures related to hiring additional legal resources or consultants to help you convert laws into actionable operational and technical plans with consideration to your business specifics and goals, all while updating policies and implementing new legal procedures.
- Operational: The changes must be done at the operating level to process all customers' requests according to the legal requirements.
- Technical: For some companies, becoming CCPA compliant means the total revision of the informational infrastructure of the business.
- Business: Management teams need to revise service provider contracts and, in some cases, change business models to transform the way personal information is handled, processed, or sold.
Considering the tight deadline and relevance of the matter for our American partners and clients, we’ve prepared a complete checklist for businesses that want to become the CCPA compliant quickly and effectively:
- Revise data lifecycle management. First of all, you need to define all data flows in your business and create the data flow maps. You need to ensure that the information is accumulated only after the customers' permit. The data flow must cover all the vendors, partners, and service providers SLAs your business is working with. The firm must have an easy way to execute the customers' data requests.
- Add notice of financial incentives. If the business sells the customer personal information, the CCPA regulations require to notify the consumer of financial incentives or price differentials being offered in exchange for using (internally or through sale) their personal information.
- Add a notice at the collection of personal information. The business must reveal what information is gathered, what is the purpose, and ensure that it is collected only if the customer gives their consent. The companies can’t promise customers any benefits if they are opt-in to store and process the PI.
- “Do not sell my information” button. The California Consumer Privacy Act gives customers the right to forbid businesses to sell their personal information. Therefore, to avoid fees and lawsuits, stakeholders can ask their development teams to design and add a restrictive button to their apps or websites, thus keeping options open for their consumers.
- Information security. The businesses must implement security standards to protect customers' personal information from data breaches. The well-known guidelines are NIST (National Institute of Standards and Technology) Cybersecurity Framework and OWASP (Open Web Application Security Project). Meanwhile, in the case of a data breach, the company must immediately notify the customers.
Customers data requests according to CCPA
According to the CCPA, companies should be ready to process users' informational requests in the shortest time. Some inquiries can be performed automatically, and some require additional manual review process. The business must prepare flows to handle:
- A request to access PI. Each customer can contact a company and request them to provide all his or her personal information that the firm stores. The query should be processed within the next 45 days.
- A request to delete PI. Customers can ask the business to delete all personal data from all the sources that the company has.
- A request to opt-in. The company can’t store, process, or sell personal information without the users' consent.
- A request to opt-out. At any point in time, the customer can discontinue the processing of their PI.
The CCPA non-compliance consequences
In the case the company has decided to stay non-compliant with the CCPA requirements they may face the following implications:
- Brand reputation. People go wild on all the topics related to PI, PII, and security breaches. If you provide services to other companies, then your non-compliance with the regulations may take a toll on their businesses and result in your loss of goodwill or costly legal wrangling. It may cause a reduction of consumer confidence, customer outflow, and litigation costs if your customers want to sue you.
- Regulatory fines. At the time of writing, the penalties amount to $2,500 per violation and $7,500 per intentional violation if it’s not cured within 30 days, plus other court-related expenses.
- Individual right of action. Each customer can demand compensation ranging from $100 to $750 for their data loss during a break-in if no reasonable security measures have been implemented. As you can see, there is no maximum for fines as it is in GDPR (4% of annual global turnover or up to €20 million), though there is a possibility of a website or app ban in the CA area.
Important data protection rules and regulations that you may face
If your company works with American or European users you should pay additional attention to other business laws and regulations that may be critical for the sphere you are working in:
- The Gramm–Leach–Bliley Act (GLBA) is also called the Financial Services Modernization Act of 1999. It requires financial institutions to explain their information-sharing practices to their customers and to save sensitive information. The data protection requirements of the GLBA are outlined in its Safeguards Rule and the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule).
- The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on the 25th of May, 2018. The GDPR will levy harsh fines on those who violate its privacy and security standards, with penalties running into tens of millions of euros.
- The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
- The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. It applies to all schools that receive funds under an applicable program of the US Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
- The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. Its mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and practical implementation. The breach or theft of cardholder data affects the entire payment card ecosystem.
- The Children’s Online Privacy Protection Rule (COPPA) imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from minors.
- The EU-U.S. Privacy Shield Framework regulates the process of data transfer from the European Economic Area to the United States and ensures necessary data privacy as prescribed by the General Data Protection Regulation (GDPR) and the EU Data Protection Directive. The principles promote enhanced transparency and collaboration, more thorough supervision by American Government organizations, and better privacy protection for European and other individuals.
All the standards and regulations are intended to help companies provide safer services and products with consideration to the end customers’ personal needs. New businesses can utilize most regulations as guidelines, while working on their software architecture and product back-office services. Meanwhile, such legal rules are often transformed into standards for customer support teams. As we’ve already mentioned, the requirements for GDPR and CCPA are similar, so if your business is already GRPD complaint, it may be much easier for you to comply with CCPA as well. A number of specialists consider that the California Consumer Privacy Act can become some kind of model for other states of America.
From the product owner’s point of view, the understanding of all the regulations helps to build secure and customer-friendly digital assets, avoid heavy fines or time-consuming court battles, and prevent costly re-development of custom software products.