The California’s Consumer Privacy Act (CCPA) is a privacy regulation which will go into effect January 1st 2020. The CCPA grants California residence the following rights:

​

• The right to notice – Businesses must inform California residence at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used.

• The right to access - California residence have the right to direct business to disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer.

• The right to opt out (or right to opt in) - California residence have the right to direct businesses that sell personal information about the residence to third parties to stop this sale. If a consumer is a minor, the CCPA provides for a right to opt in to the sale of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old).

• The right to request deletion - California residence have the right to direct businesses which collect and store personal information about the resident to delete that information.

• The right to equal services and prices - The CCPA prohibits businesses from discriminating against California residence by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any CCPA rights.

 

Who needs to comply with CCPA? The regulation states that organizations which fit into the following categories need to comply with the CCPA requirements:

  

• Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

• Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

 

It should be noted that the CCPA applies to businesses which are not located in California, but conduct business with California residence such as an online entity.

 

What are the risks and penalties for noncompliance with CCPA?

 

1798.150.
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

 

The CCPA grants California residence the private right of action in regards to the violation of certain aspects of the CCPA. This means that California residence can sue an organization directly for violating certain provisions of the CCPA. This private right of action would also allow for class action lawsuits to be filed against an organization for the violation of certain aspects of the CCPA.   

 

The bill would provide for its enforcement by the Attorney General, as specified, and would provide a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information, as defined.

 

How can Array Cyber Consulting help organizations cost effectively comply with the CCPA while minimizing the impact of compliance on the organization’s objectives?

​

• Create and or review the organizations policies and procedures for CCPA compliance

• Create and or review an organizational PI data map to understand the movement and storage of PI throughout the organization

• Ascertain through surveys, interviews, and vulnerability scans the organization’s current state of CCPA compliance 

• Enumerate, risk rate, and prioritize all issues in regards to CCPA compliance to ensure optimum utilization of available compliance resources

• Provide prioritized, and cost affective remediation recommendations which do not adversely effect the organization’s business objectives