The California Consumer Privacy Act (CCPA) is a bill that was passed into law in June 2018 with the goal of enhancing privacy rights and consumer protection for residents of California. CCPA goes into effect on January 1, 2020. You can find the full text of the CCPA regulation here on the California Legislative Information page.
Does my business need to comply with the CCPA law?
CCPA applies to organizations that process any personal data for a California consumer:
- A California consumer is a natural person who is a California resident.1
- Personal information is information that identifies a particular consumer or household.2
If your organization processes the information defined in the above, then the CCPA applies to your business if you satisfy one or more of the following thresholds:
- Gross annual revenue is more than $25 million
- Process information about 50,000 or more households, consumers or devices
- Earn 50% or more of your annual revenues from selling consumers’ personal information3
- Or if your business controls or is controlled by a business which meets the threshold for one of the above criteria.
Why was the CCPA Established?
How is Personal Information Defined by the CCPA?
The CCPA defines Personal Information as non-public information that “…identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 1798.140(o)(1-2). Examples of Personal Information are name, email address, IP address, and also internet activity like browsing history. Each regulation has its own definition of personal information, so it is important to know how it is defined in the CCPA (i.e. Personal Information is defined differently in CCPA than how it is defined in GDPR which covers the personal data of EU citizens).
What if My Business is Not Headquartered in California – Is it Still Impacted by CCPA?
The State of California also recognizes that data misuse has no geo-graphical boundaries. If a person’s data is misused in California or outside of it, the impact on the person is the same. That is why the CCPA applies to business who gather and process data of any California consumer, no matter the business’ location, rather than applying it only to businesses in California. The CCPA is based on data and people, not data processing location.
What the State of California wants organizations to do is protect the personal data of its consumers, regardless of the physical location of the system the data resides on. Protection is to ensure no “unauthorized access and exfiltration, theft or disclosure of a consumer’s nonencrypted or nonredacted personal information”5. (citation to page 2 of the CCPA law document). The definition of how to protect personal data is in section 1798.150.(a)(1) page 19 of the Assembly Bill. The business has the “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information…”
How to Address CCPA?
The CCPA is silent as to what exactly those security procedures are and there is no further definition around security. Because the focus is on breach prevention, the most effective way to ensure your cyber security strategy and controls meet the definition of “reasonable security practices” is to implement an industry standard security framework- for example NIST Risk Management Framework, ISO 27001, CSA CCM for cloud, or CIS Best Practices- to an appropriate degree for the information you process and the technologies you use. Fidelis has mapped our capabilities to many of the NIST 800-53 controls and we believe that this is an appropriate method to help prevent breaches.
*This article is for informational purposes only and should not be construed as legal advice.
1 1798.140 (g), Assembly Bill No 375, page 13
2 1798.140 (o) (1), Assembly Bill No 375, page 14
3 1798.125 (c) (1), Assembly Bill No 375, page 11
4 Section 1, (f), Assembly Bill No. 375, page 3
5 Legislative Counsel’s Digest, Assembly Bill No. 375, page 2