The California Consumer Privacy Act (CCPA) is barely in full swing, and regulators have already pushed through an update, proposition 24.Proposition 24 and the updates to the CCPA have left many businesses confused about the state of their privacy compliance.
Fret not; in this article, we will explore all the significant changes to the CCPA and how they affect your business. But before jumping into the changes, here is a brief reminder on the CCPA.
The CCPA In Brief
The CCPA that most businesses are familiar with became enforceable in July 2020. With these new sweeping changes to the regulation, it is good to remind ourselves what the law is all about.
The CCPA was the Californian government’s response to the increasingly digital lifestyle of Californian consumers. Along with other privacy-centered regulations like the EU General Data Protection Regulation, the CCPA’s primary goal was to limit the abuses against personal data that ran rampant in the online business space. Data breaches and cyberattacks often resulted in real-world repercussions and posed significant privacy risks to the affected parties. Governments globally caught on to these dangerous trends and stepped in, forcing businesses to bolster their security posture and take responsibility for the individual’s personal data. What we have now is globally reaching regulations like the GDPR and local regulations like the CCPA.
You might be wondering why you should care if your business isn’t in California. First of all, the law will apply to any company that processes the data of California residents. Secondly, the trends show that it is highly likely that other states will adopt their version of privacy laws. Applying the best practice security and privacy models ensures that you remain ahead of the trends while also having a potential marketing tool under your belt. Consumers are more concerned with privacy than ever and make many purchasing decisions based on companies’ privacy protection ethos.
The basic principles of the CCPA, Before Proposition 24
Proposition 24 didn’t detract from the existing law (except for one thing which we will see later) and left most in place; it only added new requirements.
In this section, we will briefly remind you of the existing principles in the CPPA:
- Right to know what personal data a business collects
- Right to say no to the sale of your information
- Right to delete your information
- Business must apply protection to the data collected
- Right to access your data in a portable manner
- Special protection for minors
These are the main features of the existing law. Businesses have already made changes to their data processing models to become compliant with these principles over the past year.
However, with proposition 24, new additions have been made that put more pressure on business, while in some cases not always benefiting the consumer’s privacy; we will discuss in greater detail later.
Proposition 24 And The Updates To CCPA
As mentioned in the prior section, policymakers did not remove any principles of the existing law in favor of proposition 24. Instead, changes were added that are more in line with global privacy regulations. If you are acquainted with the GDPR, you will be familiar with these changes.
In the coming sections, we will go through each significant change that might affect your business and give you some context.
Penalties for Negligence
With proposition 24, it is now possible for the state to fine companies that have lost users’ emails and passwords.
Unlike cyber attacks, negligence is the accidental loss of data. Accidents happen; the difference is if an accident occurs because your organization did not take appropriate measures to ensure adequate protection, then that would be considered negligence.
This action is now a finable offense under the updated CCPA, meaning your organization needs to implement tighter organizational safeguards to ensure data is not lost.
Broadens The Scope Of Sensitive Data
One of the changes with proposition 24 is with personal data typing. This new data set will be known under the regulation as “sensitive data.” Broadening the scope of personal data to include identifiers like:
- Social Security Numbers (SSN)
- Driver’s license numbers
- Credit card information in combination with a password or PIN
This category of data is also subject to new disclosure and purpose limitation principles.
Right To Restrict Use of Sensitive Personal Information
The updated CCPA now gives users the right to opt-out of data sharing, meaning businesses must provide the option for consumers to opt-out of data sharing. Before Proposition 24, the regulation required organizations to allow consumers to opt-out from the sale of their information with an easy button press available on their website. This requirement now extends to the sharing of their data.
Given that this was already a requirement, the change should not be difficult to implement.
Right To Correct Your Data
This right is another one that regulators carried over from the GDPR. In the GDPR, more commonly referred to as the “right to rectification.” Essentially, consumers have the right to request their data is accurate and up to date. This correction must be provided free of charge. A real-world example of this was a pet owner who had a pet microchip in their cat with an old house address on it. The service provider offered to update the address for a fee. Changes in the act no longer allow paid services to rectify consumer data.
Another principle that many GDPR compliant businesses would be familiar with is the storage limitation principle. This principle is now part of the updated CCPA. Storage limitation requires that companies keep a data retention policy. The policy should explicitly state the lifecycle of data, primarily that the organization will not keep personal data longer than necessary.
The data retention policy and subsequent data map are a means to demonstrate compliance with this article.
For the GDPR compliant business out there, you might be noticing a pattern here. Data minimization is a new principle that requires a company to collect only necessary data.
This principle is like storage limitation but during the point of collection and not deletion. For example, if there is a Software-as-as-Service (SaaS) company that provides cloud storage, they might require:
- Email address (to login to the services)
- Credit Card information (to pay for the service)
- Address (to verify the credit card)
With this information, they can provide you the service. Any personal data collected beyond that would be considered unnecessary and, in this case, unlawful. Keep in mind that this is a rudimentary example, as a SaaS environment is much more complicated, especially when you consider cookie consent.
High-Risk Data Processor Require Cybersecurity Audits
This change is relatively straightforward. As the title suggests, high-risk processors will require annual cybersecurity audits to ensure good cyber posture. However, what constitutes a high-risk data processor is a little more convoluted. There is no official stance by the Californian legislator as to what makes a data processor high risk. But let’s analyze the GDPR for reference. We can see that a high-risk data processor is any organization that processes personal data that could pose a high risk to the rights and freedoms of the individuals affected if breached.
Removal of Notice and Cure
In the introduction, we mentioned that proposition 24 removed one element from the older version of the CCPA. Technically, the rule itself was not removed but rather the timeframe. Businesses must notify authorities and consumers of violations, except now they no longer have a 30-day grace period to do so. The organization must address and fix violations immediately.
More Considerable Fines for Violations Involving Children’s Data
Proposition 24 has changed the penalties for breaches or violations involving children’s data, tripling the fines levied against organizations that violate the privacy of children’s data. Currently, the CCPA fines an amount of $2,500 for each violation and $7,500 for intentional violations.
By 2023 the state will enforce proposition 24, and violations involving children’s data will be considered an intentional violation.
Business-to-Business Employee Data
In the older version of the CCPA, B2B employee data sharing was set to expire in January 2021.
Proposition 24 extended the expiration date by two years, meaning employers are exempt from some of the employee personal data’s regulatory requirements. One of the contentious points for proposition 24 is the privacy concerns arising from the code’s broader scope. The extension means that employers are not required to disclose what data they collect about their employees. However, they are required to disclose this data collection when applied to job applicants and independent contractors.
The opposition to Proposition 24 has pointed out the hypocrisy of a privacy law that does not protect individuals in employment.
The California Privacy Protection Agency
One of the more significant changes to come with proposition 24 is the creation of a new government agency. California has allocated $10 million to start up and maintain the California Privacy Protection Agency. This government body will be responsible for enforcing the law and penalizing companies.
Proposition 24 Pros and Cons
While in many privacy sphere’s Proposition 24 has made significant leaps toward pro-consumer privacy, many have questioned the “fine print” of the legislation. Undoubtedly, the legislation has put stricter requirements on businesses to respect their data subjects’ privacy. But in light of the GDPR, it falls short. The opposition’s primary concern is the alleged “pay for privacy” scheme, allowing businesses to offer a lower quality service to data subjects who chose to opt out of data processing.
In the current rendition of the regulation, there is nothing to stop this from happening. We will just have to wait and see when Proposition 24 comes into full swing in 2023.
In terms of businesses that rely on data processing, being compliant with the GDPR seems to cover many of what is necessary for the updated CCPA.
Proposition 24 has brought about sweeping changes to the CCPA. Overall, businesses can expect more stringent rules around personal data processing.
The significant changes mentioned in this article are:
- New penalties for data loss due to negligence
- New category of data: sensitive data
- New Rights
- Right to restrict processing of sensitive data
- Right to correct personal data records
- Storage limitation principle: storing only data that is necessary (i.e., fulfilling contractual obligations)
- Data minimization: only collecting personal data that is necessary
- Annual cybersecurity and data protection audits required for organizations that are “high-risk” data processors
- Removal of 30-day time frame to correct violations (must be immediate)
- Triple fines for an offense involving children’s data
- New government agency: the Californian Privacy Protection Agency.
Opposition aside, Proposition 24 has passed and is here to stay. It is unlikely that there will be any changes to the regulation in the coming years.
With this in mind, it is time for organizations to implement the new changes where required.
RSI Security understands that regulatory changes can leave many businesses scrambling to catch up. Fundamentally, the CCPA is a security regulation, and most SMEs are not in the business of security.
Yet, they are required to implement this privacy regulation. Here is where RSI Security steps in. Let us help you overcome Proposition 24 and the updates to the CCPA; we are Californians, after all.
Get in contact with us today, and schedule a consultation here.