On January 1, 2020, privacy professionals woke up to a new reality — the California Consumer Protection Act (CCPA). While this act is a creation of the State of California that’s designed to protect the personal data of California residents, its impact will be felt across the United States and beyond. Following on the heels of GDPR, legislatures around the world have been busy enacting an alphabet soup of data privacy regulations at both national and state levels. These regulations will require policy and control implementation, keeping privacy professionals occupied for a while.
If your organization just got done implementing GDPR compliance, chances are you will need to prepare for CCPA as well. But how can you tell if CCPA impacts you?
Does CCPA Affect You?
The following three criteria are used to determine if a business needs to comply with CCPA.
- Annual revenue greater than $25 million,
- Collects data on over 50,000 consumers, households, or devices annually, or
- Derives at least 50% of its annual revenue from the sale of personal information
A handy mnemonic for these criteria is the rule of 25-50-50: $25 million in total revenue, 50K records, or 50% of revenue from data sales.
The other criterion used by CCPA is geography. It applies to any entity that “does business in California.” For now, “doing business” is interpreted to include interacting with consumers who are located in California, even if the business has no physical presence or employees in the state. This interpretation may evolve through future court decisions, but for now, casts a very wide net.
California is the world’s fifth largest economy, home to almost 40 million, and the epicenter of a vast technology and data ecosystem. It’s difficult for an online business to exclude such a large market. Moreover, other states are implementing similar regulations, which means geofencing out states with privacy regulations is not a viable strategy.
What Does CCPA Regulate?
CCPA confers some explicit rights onto consumers when a business collects their data for commercial use:
The right to knowledge. Consumers have a right to know what data is being collected about them and how it will be used.
The right to be forgotten. Consumers have the right to deletion of all their personal data upon request.
The right to opt-out. Consumers have the right to opt-out from the sale or commercial use of their data.
CCPA also imposes age-restrictions on data collection. Businesses must get explicit consent from anyone under the age of sixteen, and must have written permission from a parent or guardian for anyone under the age of thirteen.
How Can I Comply with CCPA?
CCPA regulations have a few explicit requirements, but they can be loosely classified into two categories: disclosure and data governance.
Disclosure. Any time businesses collect personal data, they must explicitly disclose what information is being collected, how they intend to use that information, and what information has been sold in the past year.
Data Governance. Businesses must create mechanisms to allow consumers to opt out of the sale of their data, and to honor deletion requests. This includes implementing mechanisms for data discovery, as well as controls to ensure opt out requests are honored.
What Constitutes a CCPA Violation?
Any improper disclosure of consumer data constitutes a CCPA violation. This includes accidental or malicious data breaches that result in the data being shared, sold, or published on the Internet.
Unlike GDPR, CCPA leaves you some slack for accidental violations. The penalty is $2,500 per occurrence for unintentional violations, and $7,500 for intentional violations. This is a far cry from GDPR penalty which could be as high as 4% of worldwide revenues. However, CCPA also makes it easy for consumers to sue the business for improper disclosure without the need to show explicit harm caused by the breach.
Compliance Requires Context
Two of the biggest practical challenges with compliance are data discovery and data leakage prevention. Modern productivity apps like email, Google Drive, and Slack create multiple places and pathways for data to reside in and flow within or outside an organization. Implementing compliance controls without sacrificing productivity is tricky. For example, you may want to allow customer records to be used internally by your customer success teams for the purpose of solving customer problems. This means allowing their data to be shared over email or other internal apps. However, you don’t want the same data to be used for marketing purposes or shared with third parties.
This is where compliance requires context. Keyword searches for all occurrences of a particular customer’s name (or identifier) within your communications would surface not only potential exfiltration attempts, but also all the legitimate uses of that data. An analyst would then have to manually weed through each violation to find the true positives. Also, given the high noise ratio, it would be impractical to set enforcement policies based on keyword searches alone.
This is where Natural Language Understanding (NLU) can help. NLU can understand the tone and intent of the messages to distinguish between legitimate data sharing and an exfiltration attempt. This can significantly cut down on the noise from false positives, and focus precious analyst resources on processing actual violations. With sufficient accuracy, NLU-based policies can also be used to enforce compliance regulations by preventing accidental or malicious data exfiltration through human communication channels like email and chat.
The Armorblox NLU Platform does just this. Along with stopping targeted inbound threats like business email compromise, Armorblox can be used to prevent PII and PCI data loss, playing a critical role in enforcing CCPA compliance. If you’re curious and would like to learn more, contact us for a demo of the Armorblox Platform.