California Consumer Privacy Act (CCPA)

Compliance Guide

Intro

If your for-profit organization does business in California or with Californians, it will need to comply with the California Consumer Privacy Act of 2018 (CCPA). Taking effect Jan. 1, 2020, this law places the most stringent requirements on the protection of consumer data in the United States. There is no federal law protecting data privacy.

  • The CCPA breaks new ground in data privacy protection: CCPA has a broad definition of "personal data"
  • It applies to almost every large enterprise in the U.S. (Who doesn’t do business with California?)
  • It has a long list of "consumer" (California residents’) rights

Although enforcement doesn’t begin until July 1, 2020, your CCPA compliance begins on the first of the year in at least one respect: Starting on the effective date, Jan. 1, you must be able to comply with consumer requests to review any and all of their information in your databases. Since you must provide one year’s worth of data history, you should already have begun taking steps to comply.

To help with your CCPA compliance efforts, we’ve compiled this guide. Replete with information about the law and how to meet its requirements, it is a living document to be updated as needed—such as when the California Legislature fills in the gaps its hasty passage of the original bill, AB 375, and subsequent amendment, SB 1121, left unaddressed.

Read on for a CCPA summary and answers to the most commonly-asked questions about this important new law. For in-depth knowledge about any topic, click on the links sprinkled throughout. For help preparing for your first CCPA audit, check out our handy CCPA audit checklist. And if you want a digital solution to guide you through the CCPA compliance process, contact us.

What is the California Consumer Privacy Act? - Definition & Background

The California Consumer Privacy Act of 2018 (CCPA) is the United States’ most comprehensive and stringent data privacy law.

Enacted in June 2018 and amended the following September, it gives Californians unprecedented powers to view, restrict the use of, and delete the data that for-profit companies collect about them. It also gives them the right to sue if a data breach results in the compromise of their information.

The CCPA doesn’t replace California’s existing data protection laws: the California Online Privacy Protection Act (CalOPPA), the Privacy Rights for California Minors in the Digital World Act, and the Shine the Light law.

  • CalOPPA, enacted in 2004 and revised in 2013, was the first law in the country to require websites, online services, and mobile applications that collect Personally Identifiable Information (PII) about California consumers to display privacy policies on their site. It also requires those services to disclose their tracking and collection of PII and how they handle "do not track" requests.
  • The Privacy Rights for California Minors in the Digital World Act allows children under 18 to request removal of content they have posted online, requires sites to notify minors of their right to erasure, and prohibits websites and apps from advertising certain items including alcoholic beverages and firearms.
  • The Shine the Light law requires businesses that disclose customer information for direct marketing purposes to notify the customers.

How the CCPA Came To Be

For a California entrepreneur named Alastair Mactaggart, these laws were not enough. At a dinner party, Mactaggart learned from a Google engineer how technology and social media companies gather and sell data about their users for targeted online ads and other purposes. Alarmed, Mactaggart drafted the CCPA with the help of other privacy advocates.

The original CCPA was intended as a voter initiative. It would have placed stringent restrictions on the abilities of social media companies, search engines and other for-profit organizations to collect and share personal information and other data about California residents. In some ways, the initiative resembled the European Union’s General Data Protection Regulation (GDPR).

But Facebook, Google, and other large tech companies were worried about the proposed initiative’s effects on their business models. They worked with state legislators and with Mactaggart to craft a compromise bill. Mactaggart agreed to withdraw his petition if the compromise bill got adopted and signed before the June 28 deadline for submitting ballot initiatives. The lawmakers wrote Assembly Bill 375 hurriedly, racing the clock. Assembly Bill 375 passed both chambers unanimously.

But the quick passage left some loose ends in the new law. Senate Bill 1121, the amendment passed in September 2018, closed some of the gaps, but other questions remain. To buy time for changes and clarifications, the legislature included in SB 1121 a provision postponing enforcement of the CCPA until July 1, 2020. The delay was intended to give legislators time to define and clarify more of of the CCPA’s provisions.

The CCPA 2018: A Summary

The CCPA applies to industries and for-profit enterprises that do business in California or collect data from Californians. It regulates both online and off-line data sharing and data sales.

If your business meets one of the following conditions, it will need, in most cases, to meet CCPA requirements:

  • Has annual gross revenues of more than $25 million; or
  • Buys, receives for commercial purposes, sells, or shares for commercial purposes personal information of 50,000 or more California consumers, households or devices per year
  • Derives 50 percent or more of its yearly revenues from selling California consumers’ personal information
  • Controls, or is controlled by, a business that meets any of these criteria and shares a brand with that business

The CCPA gives Californians the right to view their data that is collected or stored by these businesses. It allows them to know why their data is collected and stored, and with whom it is shared and why. Californians can deny these businesses the right to sell or share their data, and can have their data deleted on demand. The law also requires businesses to provide CCPA training to employees who handle customer data, and to teach them how to help consumers exercise their rights.

If customer data is compromised, the law gives affected consumers a "Private Right of Action" to file a civil suit. The California Attorney General can also fine businesses up to $2,500 per violation or $7,500 per intentional violation.

To Whom Does the California Consumer Privacy Act Apply?

The California Consumer Privacy Act (CCPA) applies to entities doing business in California or with Californians that exceed a $25 million revenue threshold and meet other CCPA regulatory criteria.

Every enterprise including startups, tech companies, and data brokers must comply with the CCPA if it meets any of these criteria:

  • It is a for-profit business
  • It does business in California
  • It collects personal data of California residents (or has that information collected)
  • It determines on its own or with others the purpose and means of processing that information, and
  • It meets one or more of the following criteria:
    • It collects more than $25 million in annual gross revenues, adjusted for inflation
    • It buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices per year
    • More than half its yearly revenue comes from selling consumers’ personal information

Consumers and employees protected by the CCPA are those who qualify as California residents under the state’s tax laws. This means they are in California for a non-temporary or non-transitory purpose, or maintain a residence in California but are temporarily outside the state.

When Does the California Consumer Privacy Act Take Effect?

The California Consumer Privacy Act (CCPA) officially takes effect on Jan. 1, 2020, but the state’s attorney general won’t begin prosecuting non-compliance until July 1, 2020.

The delay is designed to give legislators time to make changes to CCPA. Several amendments are already in the works.

For the CCPA date of effectiveness to be different from its enforcement date is unusual. But the passage of AB 375, the bill that became the CCPA, happened unusually.

The California Legislature crafted the CCPA hurriedly, trying to beat a deadline for a voter referendum that would have been much more restrictive.

Tech companies including Google and Facebook had asked legislators to work on a compromise with the CCPA referendum’s authors because they worried that the referendum might pass. The initiative’s authors agreed not to submit it for inclusion on the November ballot if the CCPA became law before their submission deadline.

Assembly Bill 375 passed both chambers and was signed into law before the deadline. The law stipulates a date of Jan. 1, 2020, for the CCPA to take effect. But last September the legislature adopted SB 1121, which defers the CCPA date of enforcement until July 1.

Now lawmakers have time to consider CCPA amendments that could clarify and improve its provisions. For example, does the $25 million threshold count California revenues only, or total revenues? The law as written doesn’t say.

Or, CCPA changes could weaken the law, which those in certain industries are reportedly lobbying for. Any changes, however, must be adopted by both houses of the legislature.

Get started now

Under the CCPA, California consumers will have the right as of Jan. 1, 2020 to know what personal information of theirs for-profit entities have collected and are storing. Californians will have the right to know how their data is being used, and whether it’s being sold or shared. When they file a request for that data, the entity must provide records from the past full year. To meet that criterion, you should already be getting your data categorized, tagged, and organized.

Are you ready to comply?

If you’re using spreadsheets to track your CCPA compliance, be warned: It’s a complicated series of tasks with lots of moving parts. Why not contact Reciprocity now, and learn how our ZenGRC software as a service can do most of the work for you?

CCPA vs. GDPR: Comparison of Requirements

The California Consumer Protection Act of 2018 is often called "America’s GDPR." This is because, like the European Union’s General Data Protection Regulation, the CCPA aims to protect people’s privacy by regulating what entities do with their personal information. From the similar language used in both the EU privacy law and the California law, it is clear that the GDPR inspired the authors of the CCPA.

Both the GDPR and the CCPA were the first laws of their kind in the EU and the U.S., respectively.. Both require organizations that collect personal data to disclose to the owners of that information what data they have and what they do with it or intend to do.

But there at least as many differences between the two privacy laws as similarities. Here’s a point-by-point breakdown comparing them.

Personal Data

GDPR: Regulates the "processing" of personal data, including collection and sales
CCPA: Regulates the collection and sales of personal data

Scope

GDPR: Applies to all businesses within the EU or processing EU resident data, regardless of size
CCPA: Applies to for-profit businesses located in California or businesses collecting data from California residents that either have more than $25 million in annual revenues; process the data of 50,000 California residents, devices, or households per year, or earn more than 50 percent of their yearly income from selling California residents’ data

Disclosure

GDPR: Requires an entity to inform data owners up-front why it is collecting their data (the "legal basis and purposes"), what it intends to do with the data it is collecting, with whom it will share the data, how long it intends to store the information, and what the data owner’s rights are under the law
CCPA: Requires an entity to inform data owners up-front as to the categories of personal data it is collecting and how it intends to use the data

Right of Access and Portability

GDPR: Gives data owners the right to obtain a copy of their collected data from the entity collecting it (the "controller") and to know where the data came from, why the data was processed, with whom it will be shared and why, and how long the entity intends to store the information. It requires entities processing EU resident data to inform those data owners of their rights. It sets a deadline of one month for complying, free of charge, with data owner access, restriction, correction, and restriction requests.
CCPA: Give data owners the right to know which information of theirs an entity has collected in the preceding 12 months; categories of those with whom the data has been shared; categories of sources of the data, and the business or commercial purposes for collecting or selling it. It requires businesses to provide this information free of charge within 45 days of each request, up to twice per year.

Right to Correction

GDPR: Gives data owners the right to correct any errors they find in their personal information processed by EU organizations
CCPA: Does not include this right

Right to Withdraw Consent

GDPR: Gives data owners the right to withdraw their consent or stop processing of their data at any time
CCPA: Gives data owners the right to deny consent for the sales of their personal information, and requires entities to display an "opt-out" link on their website

Right to Erasure

GDPR: Gives data owners the right to have their personal information deleted from an entity’s records, and requires third parties with whom the entity has shared the information to delete it too. Conditions for erasure include:

  • The entity no longer needs the data
  • The data owner withdraws consent to have their data processed
  • The data owner objects to having their information processed and the entity has no grounds to override the objection
  • The data has been unlawfully processed
  • The data isn’t necessary for the exercise of freedom of information or expression, for a task in the public interest, or for legal claims

CCPA: Gives data owners the right to have their personal information deleted from an entity’s records. Requires entities getting this request to not erase the data but direct service providers who have the information to do the same. Exceptions apply if, for example, the entity needs the data to:

  • Complete a contract or transaction with the data owner
  • Detect security incidents
  • Protect against or prosecute deceptive, illegal, fraudulent or malicious activity
  • Engage in research
  • Comply with a legal obligation

Right to Stop Automated Decision Making

GDPR: Gives data owners the right to have decisions made by a human that affect them legally
CCPA: Offers no such right

Restrictions on Collecting Data of Minors

GDPR: Requires parental permission to process data of children under 16 and allows Member States to lower that age to 13
CCPA: Requires minors age 13 to 16 to opt in to the sales of their data, and parental opt-in for children under 13

Right to Nondiscrimination

GDPR: Has no explicit nondiscrimination clause but requires data to be processed "fairly" and stipulate that consent to the processing and sale of data must be given freely, meaning that they will not suffer consequences for withdrawing that consent.
CCPA: Gives data owners who exercise their rights under the CCPA the right to equal services of equal quality and price as data owners who do not exercise those rights. A business may, however, offer incentives to consumers in exchange for allowing them to sell their information.

Private Right of Action

GDPR: Gives data owners the right to compensation for material or non-material damage as a result of infringement of the GDPR, but does not limit liability
CCPA: Gives data owners whose information is breached the right to sue the negligent entity for $100 to $750 per incident or actual damages, whichever is greater

Regulator Enforcement Penalties

GDPR: Sets penalties for an infringement at a maximum of 20 million euros or 4 percent of the previous year’s global revenues, whichever is greater
CCPA: Sets penalties for an infringement at a minimum of $7,500 per violation, with no limit on total penalties

As you can see from this CCPA-and-GDPR comparison chart, complying with the GDPR doesn’t necessarily translate to CCPA compliance. The two laws have similarities, but if yours is an organization doing business in California or with Californians, you will need to take additional measures to ensure your CCPA compliance—even if you already comply with the GDPR.

What is Personal Information under the CCPA?

The California Consumer Privacy Act (CCPA) has a broad definition of "personal information." In the interest of data privacy, it defines "personal information" as information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

The CCPA’s list of categories of personal information includes these examples:
  • Identifiers: real names, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
  • Commercial information such as records of personal property; products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data such as fingerprints, face recognition, retina or iris information, hand patterns, height, weight, and eye color
  • Internet or other electronic network activity information such as browsing history, search history, and information regarding the data owner’s interaction with a website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information that is not publicly available
  • Inferences drawn from any of the information identified here to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

The CCPA also stipulates some exceptions.

Information that is already legally available in public government records does not have the same restrictions under the CCPA. And the law does not restrict information that has been "de-identified" (stripped of identifying characteristics) or aggregated.

Collect and Sell Personal Information: What Does it Mean?

The California Consumer Protection Act (CCPA) defines "data collection" and "sale" of personal information very specifically.

Here is how the CCPA defines "collecting" information:
"Collects," "collected," or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

Here is how "sale" of information is defined in the CCPA:
"Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

The law takes the definition a bit further by also stating what does not constitute a sale. According to the CCPA a sale does not occur under these circumstances:

  • A California resident ("consumer") uses a business to disclose information to a third party intentionally, or directs the business to do so. Hovering over the content or closing it does not qualify as an intentional disclosure. The third party may not sell the information except as stipulated by the CCPA.
  • A business shares consumer information to inform a third party that the consumer has opted out of the sale of their personal data.
  • A business shares consumer information with a third party for a "business purpose" such as auditing, counting ad impressions, detecting or protecting against security incidents, and customer service. In this case, the business must tell the consumer that they are going to share their data, and allow them the opportunity to opt out as required by the CCPA, and the third party does not further collect, sell, or use the consumer’s information except for a business purpose.
  • The business shares the information as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which a third party is taking control of the business. The third party can only use the information in a way consistent with the consumer’s original agreement; if they want to change the use, the consumer must opt in to a new agreement, under the CCPA.

These definitions matter because the CCPA provides first-of-its-kind "user control" for consumers, allowing them to opt out of having their personal information sold using a required link on the business’s home page. Consumers age 16 and younger must opt in to sales of their personal data; those younger than 13 must get parental permission. Business must also delete consumers’ personal data upon their request.

What Are the Exceptions to the CCPA?

Every law has loopholes, and the California Consumer Protection Act of 2018 (CCPA) is no exception.

Whether your business must comply with this sweeping data-privacy law depends on a number of factors, which we’ll touch on here and explain in greater depth on the Reciprocity website.

Which businesses are exempt?

Business exceptions under the CCPA include smaller businesses and those that don’t process much data from California residents.

  • Non-profit organizations of all size
  • For-profit enterprises that don’t do business in California or with Californians
  • California businesses that do not meet any of these thresholds:
    • More than $25 million in annual gross revenues
    • Annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices
    • Derives 50 percent or more of its yearly revenues from selling consumers’ personal information

Even the enterprises that must comply may find that the CCPA does not apply in certain situations. The CCPA states that its rules cannot restrict a business’s ability to

  1. Comply with other laws
  2. Comply with certain kinds of investigation
  3. Cooperate with law enforcement regarding activities that may be illegal
  4. Make or defend legal claims
  5. Process, sell, or share de-identified information or aggregate data
  6. Collect personal information from transactions and consumers outside California

Which kinds of data are exempt?

Certain kinds of data are exempt from CCPA regulation, as well:

  1. Certain kinds of medical and protected health information
  2. Data collected in clinical trials
  3. Data used to generate a consumer report
  4. Certain data collected by financial institutions
  5. Data collected, processed, sold, or disclosed under the California Driver’s Privacy Protection Act of 1994

And consumers cannot "opt out" of their information’s disclosure for a "business purpose," meaning that it is being used for the business’s or a service provider’s "operational purposes."

CCPA deletion exceptions

Also, consumers do not have the right to have their information deleted (the so-called "right to be forgotten") if it is necessary to:

  • Complete the transaction for the data was collected; provide a good or service requested by the consumer, or perform a contract between the business and consumer.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for it
  • Debug to identify and repair errors
  • Exercise or ensure free speech or another right granted by law
  • Comply with certain laws or legal obligations
  • Enable the business to meet certain consumer needs or expectations
  • Conduct or produce certain research, including academic research ("research exception")

Steps & Guidance: How Do I Prepare for CCPA Compliance?

The California Consumer Protection Act of 2018 (CCPA) takes effect Jan. 1, 2020. But on that date, businesses will be expected to provide a full year’s data history to consumers who request it.

In other words, the time to prepare for CCPA compliance is now. Here are 10 CCPA-readiness steps you should take to ensure that, when enforcement begins July 1, 2020, your organization will be ahead of the rest:

1. FAMILIARIZE YOURSELF WITH THE CCPA AND ITS REQUIREMENTS.

Does your organization even need to comply with the CCPA? The law establishes thresholds that may exempt smaller businesses from CCPA requirements. For instance, if your organization’s yearly revenues are less than $25 million, you may not need to comply. Beyond these thresholds, the CCPA contains data-specific exemptions and exceptions, which may narrow your compliance scope. On the other hand, it defines "personal information" in a way that is considered very broad, which may increase it. Taking the time to read and digest the entire document can help you save time and resources and increase your confidence that, when the time for your CCPA audit arrives, you will be ready.

2. CONSIDER THE CCPA IN CONTEXT.

Your CCPA checklist should include an overview of all the frameworks with which you comply, especially the European Union’s General Data Protection Regulation, with an eye toward overlapping requirements. You may be further along with CCPA compliance than you think. Good compliance software can compare and contrast your various compliance efforts, so you aren’t doubling up or leaving anything out.

3. CONVENE YOUR CCPA TEAM.

Don’t try to go it along with CCPA compliance. It’s a complex law, best addressed by a team of risk and compliance professionals, legal staff, human resources leaders, IT staff, security and privacy experts, and, last but not least, a leader. The GDPR requires organizations to establish a "data protection officer" to oversee compliance with that regulation; since the CCPA is often considered "GDPR 2.0" or "GDPR Lite," why not enlist that person to oversee your CCPA compliance team?

4. MAP YOUR DATA AND ITS FLOWS.

Knowing where your information is coming from, what form it takes, and where it’s going is critical to your organization’s CCPA compliance. You must understand your data assets before you can answer consumer requests for access and, possibly, deletion of their personal information, a linchpin of the CCPA.

5. ASSESS YOUR THIRD PARTIES.

How CCPA compliant are your vendors, business partners, and other third-party data recipients? If they don’t comply, you could be affected. And understanding which third parties you’re selling data to or sharing it with and what those entities are doing with the information — whether their uses are in line with the service provider agreements you have in place — will help ensure you are CCPA compliant, as well.

6. CLASSIFY AND TAG CCPA-GOVERNED PERSONAL INFORMATION.

If a California resident asks to see the data you have collected that belongs to them, you must comply, says the CCPA, within 30 days. Classify and tag all your CCPA-governed data all the way back to Jan. 1, 2019, so that, starting Jan. 1, 2020, you’ll be able to comply with those requests easily.

7. REVIEW AND UPDATE YOUR PRIVACY POLICIES AND NOTICES.

The CCPA demands that organizations provide California consumers with very specific and clear privacy statements telling consumers exactly how you intend to use their data and why.

8. ESTABLISH CCPA TRAINING FOR RELEVANT EMPLOYEES.

The California Consumer Protection Act requires training for your organization’s people who will work with consumers to address their CCPA requests and concerns.

9. TEST YOUR PROCESSES.

Once you have set up the processes to comply with the CCPA, it’s important to test them to make sure they work.

10. CONSULT YOUR ATTORNEY.

The CCPA is not only a complex law, but it contains inconsistencies, errors, and uncertainties due in part to its hurried passage. Your organization’s legal counsel can help you make sense of it and understand all its implications on your data processing procedures.

Compliance Checklist: The California Consumer Privacy Act of 2018 (CCPA)

You’ve done your advance work, using the CCPA readiness roadmap we’ve outlined for you above. You know what to expect come Jan., 1, 2020, the date the CCPA takes effect. Now—are you compliant?

To help you get to compliance and stay there, we’ve put together this CCPA organizational readiness checklist for your use. Do the prep work we’ve advised, then check off this list, and meeting the requirements for CCPA compliance should be a snap.

  1. Have you categorized, or "tagged," all your California residents’ data?
    Removing people’s names isn’t good enough to avoid this step—not anymore. While other regulatory frameworks allow "pseudonymizing" data, which means changing the data owner’s name, or simply removing the name altogether as a means of de-identifying it, the CCPA does not. And under the CCPA, the rights of consumers (which means, under this law, California residents) include the right to view their data, to opt out of letting you share or sell it, and the right to delete it from your database. Altering it so its owner can’t be identified can enable you to use data as you like, but there’s more to identity than our names. This law recognizes other data elements in personal information that can be used to identify individuals or their household, such as their IP address or geolocation data. If you’ve included that kind of identifying information, you’ll need to have it ready to show its owner. Your best bet may be simply to categorize everything so that, should a California resident ask to see the personal information you have of theirs, you can quickly comply.
  2. Does your website follow the rules?
    The CCPA requires a homepage privacy policy disclosure. The policy must be easy to understand. It must clearly state how you use the data you collect. The CCPA also requires an "opt out" button or link on your website for consumers to click if they don’t want you to sell or share their data. For consumers age 13 to 16, you must provide a way to opt in to their data’s sale or sharing, not an opt out—and if the consumer is 13 or under, their parents must opt them in.
  3. Do you have a process for data access and deletion?
    When consumers ask to view or delete the data you have on them, your organization must respond within 45 days. Tagging can be a chore, but unless you do so, making sure that all the user’s data gets deleted can be really tricky, especially if you’ve shared it with others.
  4. Do you have an audit trail?
    In the end, it’s an auditor who will determine whether or not you meet all the CCPA requirements. To pass the test, it’s imperative that you document your data collection processes, privacy policies, and everything else your organization does to safeguard the data of California residents that it accepts, shares, sells or stores.
  5. How effective is your incident response plan?
    Data breaches will be the main triggering factor for CCPA lawsuits. Being able to show that you have a thorough and well tested plan in place for responding to breaches and breach attempts will help you avoid fines and penalties if your systems get attacked.

What Are the Penalties for CCPA Non-Compliance?

Non-compliance with the California Consumer Privacy Act of 2018 (CCPA) can result in serious consequences. Penalties may range from monetary fines levied in California attorney general enforcement of the law to statutory damages granted as civil remedies as the result of a lawsuit.

The CCPA’s ‘Private Right of Action’

The privacy legislation, designed to protect California residents’ ("consumers") rights over their personal information, allows those consumers a "private right of action" in the form of a lawsuit if their "non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure in the event of unauthorized access to their data."

To file a suit, the consumer must show that a business’s lack of "reasonable security procedures and practices appropriate to the nature of that information" caused the breach of their data.

Statutory damages for non-compliance may include:

  • $100 to $750 per consumer per incident, or actual damages, whichever is greater
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

In other words, if 1,000 records were breached, a business could pay victims as much as $750,000 plus other damages.

When assessing statutory damages, the CCPA directs a court to consider the nature, seriousness, and persistence of the misconduct, the number of violations, the length of time over which the misconduct occurred, whether the defendant willingly broke the law, and the defendant’s assets, liabilities and net worth.

The law does give businesses a chance to right any wrongs and escape having to pay. If a consumer files a complaint alleging violation of the CCPA, the accused business has 30 days to take corrective action before the suit can progress. If the consumer has suffered financially because of a breach, however, this notification isn’t required.

Efforts to expand the CCPA ‘Private Right of Action’

The CCPA allows consumers to sue a business in connection with a data breach, and no other case. General violations — such as a business’s failure to respond to a consumer’s request to view or delete their personal information, or its authorized selling or sharing of that data — can only be prosecuted by the California attorney general.

The attorney general’s office, however, has indicated that it might not have sufficient resources to enforce the law. In response, the state’s senate considered SB 561, a Private Right of Action amendment that would have allowed consumers to seek recourse for any violation of the law.

Technology companies opposed the bill, saying it would unleash a flood of litigation if passed. The state Senate blocked it in May 2019. Opponents aren’t resting on their proverbial laurels, though: It’s thought possible and perhaps even likely that the bill will resurface in some form.

Civil enforcement by the AG

Starting July 1, 2020 — six months after the CCPA takes effect — the California attorney general may initiate civil actions against businesses for general violations of the CCPA. Before doing so, the attorney general must give the business 30 days to come into compliance. If the business does not rectify the problem during that time, the attorney general may seek an injunction and impose a civil penalty of up to $2,500 per violation or $7,500 for each "intentional" violation.

How Will CCPA Audits Work?

The CCPA audit process isn’t yet known. The California Consumer Privacy Act of 2018 (CCPA) doesn’t take effect until Jan. 1, 2020 and the California attorney general won’t enforce it until the following July 1. In the meantime, bills are pending that could change CCPA requirements.

Generally, expect a CCPA audit to scrutinize your organization’s policies, procedures, processes, and documentation. Auditors will likely want to see how you handle data privacy and how well-equipped your organization is to respond to consumer requests for access to and deletion of their data—two rights provided by the law.

To be ready for the Jan. 1 CCPA deadline, you should prepare now. Check out Reciprocity’s CCPA audit checklist, with questions like these:

  • What personal information is your organization collecting?
  • How do you use the personal information you are collecting? Do you sell it? Do you share it with any third parties? If so, why?
  • How often do you review your policies and procedures for collecting personal information?
  • Have you updated your privacy policies — those distributed internally and posted on your website — to conform to the CCPA’s disclosure requirements?
  • What are your policies and procedures for responding to consumer requests regarding their personal data? How quickly can you respond?
  • How do you categorize consumer personal information? Do you use tagging, or some other method?
  • How do you track and honor consumer requests to opt out of your selling or sharing their data?
  • What training have you provided to your personnel in the CCPA, its requirements for handling personal information, and CCPA-compliant procedures for dealing with consumer requests about their data?
  • Do your third-party contracts require CCPA compliance in their handling of the personal information you provide to them?
  • What risk-management policies and procedures do you have to govern third-party access and handling of consumer information that you provide?
  • Do you conduct third-party CCPA audits to ensure that your service providers are CCPA compliant?

How to Automate Your CCPA Compliance

The "how" is fairly simple: California Consumer Protection Act of 2018 (CCPA) compliance automation can be handled by any combination of digital compliance tools.

The pressing question is, how can you know which one to choose?

Before we answer, let's explore the "whys" of CCPA compliance automation.

Some of the reasons to automate CCPA compliance you can surmise from all that you’ve read here:
  • The CCPA is a complex, first-of-its-kind data privacy law with a long reach.
  • It grants California residents ("consumers") rights over their data that no one in the U.S. has had before: namely, it establishes them as owners of their personal information.
  • It places the onus on businesses to track, categorize, manage, provide access to, delete upon request, and refrain from sharing or selling information if its owners desire.
  • It requires CCPA training to employees who handle personal information and consumer requests regarding their data.

California lawmakers passed the hastily drawn-up CCPA to avoid a more stringent initiative’s inclusion on the November 2018 ballot. As a result, the law passed with errors and omissions. Bills and amendments are pending, meaning the law could change before it even takes effect.

How will your organization know about, and cope with, updates to the CCPA?

Software is how. A good CCPA solution such as ZenGRC will do much of your compliance work for you. ZenGRC checks your systems and documents against the latest CCPA requirements and obligations, a valuable tool for conforming to this sometimes-confusing law.

You’ll have no spreadsheets to juggle or try to make sense of. Instead, your CCPA workload will shrink to fit on color-coded, user-friendly dashboards with checklists designed to make compliance simple.

ZenGRC cross-checks your CCPA efforts against the requirements of more than a dozen other regulatory frameworks including the GDPR, HIPAA, and FedRAMP, and NIST so you can avoid time-wasting overlap of efforts.

It even allows you to self-audit in a few clicks, and gathers and stores your CCPA compliance documentation in "single source of truth" repositories. And should changes to the law occur, ZenGRC will update its algorithms and checklists automatically so you don’t have to.

The result is simple, streamlined—automated—GRC management that’s worry-free for CCPA and many other regulatory and compliance frameworks. To learn more, contact a Reciprocity expert today for your free demo.