The California Consumer Protection Act (CCPA) was created to respect and protect consumer data. It ensures certain rights—like the right to opt-out of data collection programs—and it introduces numerous disclosure, privacy policy, and enterprise privacy risk assessment requirements that organizations must follow.
CCPA Enterprise Privacy Risk Assessment Preparation
Although it was signed into law in 2018, the CCPA officially took effect on January 1, 2020. This leaves many enterprises wondering how they can meet these requirements without jeopardizing productivity or profitability. It also leaves California residents with numerous questions regarding their new protections and general privacy risk management.
These complications regarding CCPA compliance make it difficult to fully understand:
- What is included in the CCPA?
- What are the CCPA’s exact requirements?
- What is the enterprise privacy risk assessment process for CCPA compliance?
What is the CCPA?
Created specifically for organizations and consumers in California, the CCPA differs from other regulations in numerous ways. It also has a much broader definition when it comes to classifying personal information.
Under the CCPA, personal information includes any data directly or indirectly linked to a specific consumer or household.
Additionally, the CCPA introduces numerous rights and protections for consumers within the state, including:
- The right to know when personal information is being collected and why it’s being collected, shared, or used
- The right to request deletions of personal information
- The right to opt-out of sales regarding personal information
- The right to fair and ethical treatment as well as non-discrimination
Request a Free Consultation
Who Must Comply with the CCPA?
CCPA compliance must be maintained by any for-profit organization—regardless of their location—that interacts with California citizens’ personal data and that meet at least one of the following criteria:
- Exceeds a gross annual revenue of $25 million
- Processes, receives, or shares information regarding 50,000 or more consumers on an annual basis
- Derives 50% or more of their annual revenue from selling personal consumer information
- Conducts transactions regarding consumer information within the state
Notable Exemptions
While the CCPA technically covers all for-profit organizations interacting with Californians’ data and meeting the above criteria, there are some notable exemptions. However, most privacy risk assessments, including those designed for the CCPA, are still helpful when protecting consumer data.
Exemptions to the CCPA include:
- Healthcare institutions – Instead of abiding by the policies outlined in the CCPA, all healthcare institutions, including hospitals and other facilities, are expected to follow the Health Insurance Portability and Accountability Act, or HIPAA.
- Financial institutions – While organizations within the finance sector aren’t bound by the CCPA, they must follow FINRA, the Gramm-Leach-Billey Act or the California Financial Information Privacy Act.
- Public information – According to the CCPA, publicly available data is not considered personal information. Because of this, public information is not given the same amount of protection.
Penalties for Non-Compliance
Current penalties for non-compliance can be significant depending on the scenario. Regardless of any monetary penalties, organizations also have to consider the potential damage to their reputation as a result of non-compliance with the CCPA or failing to obtain an enterprise privacy risk assessment.
- Monetary penalties up to $7,500 per violation for intentional CCPA violations
- Monetary penalties up to $2,500 per violation for unintentional violations that aren’t remediated within 30 days of notice
- Statutory damages ranging from $100 to $750 for every employee in California per incident, or the cost of actual damages—whichever amount is greater
What are the CCPA Requirements?
Organizations bound to the CCPA are expected to uphold certain standards and practices to ensure the protection of consumer data. Issues with these expectations are easily identified with a comprehensive enterprise privacy risk assessment. These steps include:
- Obtaining consent from parents or legal guardians for individuals under 13 years old
- Receiving affirmative consent for individuals between 13 and 16 years old
- Providing a hyperlink on your organization’s home page that makes it easy for individuals to opt-out of consumer data collection, processing, and sharing
- Providing convenient methods for individuals to submit their requests for data access, including, at the minimum, a toll-free telephone number
- Updating and revising organizational privacy policies with a full description of the consumer rights introduced with the CCPA
- Avoiding requests for opt-in consent for a period of 12 months following an opt-out request from a resident of California
Conducting an Enterprise Privacy Risk Assessment
As an official CCPA Compliance Assessor and Advisory service, RSI Security takes a multi-pronged approach to CCPA compliance with our enterprise privacy risk assessment process.
We start by analyzing your organization’s current policies regarding data privacy, consumer protection, and security controls. This includes physical, technical, and administrative controls. Next, we identify any gaps or shortcomings that exist between your organizational policies and the requirements of the CCPA.
Finally, we provide our own consultation to guide you through the final steps of the process. This usually entails a consultation and advice on the corrective actions that need to be taken along with any recommendations. All of this is done to fully prepare your organization for the final CCPA audit.
In addition to privacy risk assessments, we also offer a myriad of supplementary tools and services during this time. All of these services are designed to help protect consumer data and meet all established compliance requirements within the state.
Personal Data Mapping
It’s tough to maintain compliance with the CCPA if you don’t know how much data your organization collects on a day-to-day basis. Personal data mapping solves this issue with a comprehensive inventory of your consumer databases, including information on:
- Deletion and archival timelines
- How the data is used
- Whether or not it’s shared with any other entities.
Apart from the CCPA, personal data mapping is also a major component of achieving compliance with many other regulations, including the EU’s General Data Protection Regulation (GDPR).
Privacy by Design Integration
Privacy by Design is a concept that is simple to understand but difficult to properly implement. It’s centered around seven core principles, which ensure that your entire system is designed with consumer and user privacy in mind. Following these steps will ensure a painless enterprise privacy risk assessment.
- Take a proactive approach instead of reactive
- Ensure privacy settings are enabled by default
- Embed data protection into system design
- Never trade-off privacy for enhanced functionality
- Maintain end-to-end data protection and full data lifecycle protection
- Provide the highest levels of transparency and visibility
- Respect user privacy at all times
Data Breach Response Planning
While privacy risk assessments are designed to minimize the chances of a data breach or similar incident occurring, these events can still happen. In these cases, it’s critical that your IT team knows exactly how to respond.
Use this time to delegate tasks and prioritize activities. For example, having one teammate identify the problem while another prepares a press release will ensure a quick and efficient response if an emergency does occur.
Penetration Testing and Vulnerability Scanning
Routine network penetration testing and vulnerability scanning go a long way in keeping the most common cyberthreats at bay. These services are especially useful during an enterprise privacy risk assessment or when preparing for a CCPA audit, as they can help you identify potential threats that you didn’t detect through other means.
Data Security Awareness Training
Knowledge is the key to preventing and remediating data breaches or similar incidents. Ensure staff awareness of threats like viruses, ransomware, phishing, and social engineering—as well as their preparation to act at a moment’s notice—with comprehensive training and ongoing education.
Meeting CCPA Requirements Once and For All
It’s been a part of California state law for several years now, and most organizations within the state are expected to abide by the CCPA. Failure to do so could result in significant fines and irreparable damage to your public image.
To begin your CCPA enterprise privacy risk assessment as soon as possible, contact RSI Security today.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.