California Consumer Privacy Act (CCPA) Compliance
In the 21st century, we share and store our most sensitive personal information on phones, computer workstations, and cloud-based services and computers. Today more than ever, a strong privacy and personal data security program is essential to the safety and welfare of the people of California and to our economy.
What is the CCPA?
The California legislature unanimously approved and enacted the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. The CCPA is arguably the most far-reaching data protection law ever enacted in the United States. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.
Key Provisions of California Data Privacy Law 2018
- Consumers’ right to know and access personal data
- Right to Deletion
- Right to Opt-Out / Opt-In
- Right to Equal Service
- Disclosure Requirements
- GLBA/HIPAA/Research/Legal Exceptions
RSI Security is a full service CCPA Compliance Assessor and Advisory company that is uniquely positioned to assist you in meeting the CCPA requirements, protect personal data as well as honor consumers’ rights as per california privacy law.
RSI Security can evaluate your organization’s data privacy and security policies, procedures, and security controls to regulate the processing of personal data and prevent data breaches. We will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit.
Our CCPA Compliance Services
Personal Data Mapping and Inventory
Privacy by Design Program
Privacy Impact Assessment
Incident and Data Breach Response Planning
Network Penetration Testing
Enterprise Privacy Risk Assessment
Personal Data Security Awareness and Training
CCPA Audit and Assessment Services (covering required and addressable technical, physical, and administrative safeguards for the personal data environment)
Value and Benefits of Being CCPA Compliant
- Increased Customer Trust and Organizational Reputation
- Increased Personal Data Protection
- CCPA Audit-Ready and Secure Personal Data Environment
- Personal Data Security Risk Management
- Implementation of Information Security Program
- Effective Incident Response Planning
Who is Required to Comply with the CCPA?
As per the California consumer privacy act text, CCPA Data Privacy Act applies to for-profit businesses that do business in California and fall into one or more of the following categories:
Does your business meet CCPA compliance?
To meet CCPA Compliance requirements, a business must actively uphold the four primary rights guaranteed by the Act:
- The right to know – Consumers in California have the right to know what data is collected from them. This includes the kinds of information, the amount thereof, and how the data is being collected; it also includes the reasons that data is being collected, such as the ways in which the data will be used or shared with third parties.
- The right to delete – Consumers in California have the right to request the deletion of their personal data collected by a business. Unless the request meets one of a select few exceptions, such as failure to verify the request, the business must honor it.
- The right to opt out – Consumers in California have the right to opt out from the sale of their personal data. Unless an exception like an overriding legal obligation applies, the business must cease such data sales until the consumer electively opts in again.
- The right to non-discrimination – Consumers in California have the right to fair treatment from service providers whether or not they exercise their rights to know about, delete, or opt out from data collection. If an individual requests notice or deletion, or opts out, a business cannot refuse them services or change pricing on contracts.
Upholding these rights requires implementing robust visibility and reporting infrastructure—along with third-party controls—to enable swift, accurate, and seamless reporting on data activities. They also empower timely deletion of information when California residents request it. Our CCPA consulting experts will help you streamline these efforts for compliance.
How to Become CCPA Compliant
To maintain CCPA compliance, your business needs to:
- Monitor data privacy and integrity; keep up-to-date records of all uses, processes, or transactions impacting personal information collected from residents of California.
- Provide notice to consumers before information is collected, or at the point of collection, including what kind of information, how much, and how it is to be used by the business.
- Make information about personal data collection available to consumers from whom data has been collected—including all information provided in notices at or before collection.
- Make information about exercising CCPA rights available to consumers from whom data has been collected, including information about how to opt-out or request data deletion.
- Facilitate consumers’ ability to exercise their CCPA rights with an easily accessible opt-out page on your website—also known as a “Do Not Sell My Personal Information” page.
Installing robust monitoring and reporting infrastructure makes it easier to track what data is collected and how it is being used, which facilitates seamless notification and data access.
WORK WITH US
Your CCPA Compliance Partner
We are knowledgeable and experienced in providing compliance audit, assessment, and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA, and GDPR.
Our experienced consulting team consists of:
Qualified Information Security Assessors (QSA)
Project Management Professionals (PMP)
Certified Information Systems Auditors (CISA)
Certified Information Systems Security Professionals (CISSP)
What Does the CCPA Cover?
Personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information includes traditional identifiers (e.g. name, postal address, email address, Social Security number, and driver’s license or passport numbers), as well as unique personal identifiers (e.g. biometric information, IP address, internet browsing or search history, and geolocation data).
Penalties for non-compliance with CCPA
Companies that commit intentional violations are subject to penalties of up to $7,500 per violation.
Companies that commit an unintentional violation and fail to remediate within 30 days of receiving notice are liable for up to $2,500 per violation
Companies that experience data theft / data security breaches can be ordered in a civil class action to pay statutory damages between $100 to $750 per CA employee per incident or actual damages, whichever is greater, and any other relief a court deems proper.
Why Choose RSI Security for CCPA Compliance Services?
RSI Security has helped businesses in every industry prepare for, achieve, and maintain CCPA compliance since the act was passed in 2018 and became effective in 2020.
Our CCPA consulting experts have experience in data privacy and integrity monitoring and will install robust visibility and reporting infrastructure that operates efficiently alongside other cyberdefense initiatives. We’ll work with your internal team to rethink regulatory and cybersecurity controls, maximizing security ROI.
Schedule an appointment today to speak with one of our CCPA consultants.
The CCPA was passed on June 28, 2018. It officially went into effect on January 1, 2020. In November of 2020, amendments to the CCPA, collectively called the California Privacy Rights Act, were passed. These are set to come into effect on January 1, 2023.
The CCPA is currently in effect. The full force of its amended form, with the CPRA, has yet to come into effect. However, the lookback period requires businesses to prepare information 12 months prior to the official effective date of the CPRA on January 1, 2023—which means that California residents have the right to request information about the collection of their personal data and its use dating back to January 1, 2022.
The CPRA extends the protections of the CCPA. It is intended to give consumers greater visibility and control over the ways in which their data is collected and used, including requests for partial limitations or other changes to those usages (in addition to full-scale opt-outs or requests for deletion). It also makes businesses accountable for security incidents impacting personal data and sets the groundwork for consumers to share the benefits of data sales.
The CCPA protects consumers living in California by providing them greater visibility and control over the collection and use of their personal data—both by the companies that collect it and by any other entities with whom they share it.
As an extension of the four rights detailed above, the seven rights CCPA guarantees are:
- The right to be notified at or before the point of data collection
- The right to access information about data collected from them
- The right to opt out from data collection, before or during collection
- The right to opt into data collection (for minors or their parents)
- The right to request the deletion of data collected from them
- The right to know about and be informed of their CCPA rights
- The right to exercise rights without price or service adjustment
Businesses subject to the CCPA are required to disclose:
- The categories of data collected from a consumer
- The categories of sources used to collect data
- The purposes for the collection (intended uses)
- The categories of third parties that share the data
- The categories of data that is sold, and to whom
- The categories of data disclosed but not sold, and to whom
- The specific pieces of data collected about a given consumer
The CCPA applies to for-profit businesses in California that meet one of the following criteria:
- Businesses with a gross annual revenue of at least $25 million
- Businesses that process data of at least 50 thousand Californians
- Businesses that derive at least 50% of their revenue from processing Californians’ data
Any business that meets one of the criteria above, regardless of size (i.e., number of employees), may be subject to the CCPA.
The CCPA may apply to businesses located outside of California if they meet the criteria for collecting 50 thousand Californians’ data or deriving 50% of their revenue from said data.
The CCPA is enforced by the Office of the Attorney General (OAG) of California. It sends notices of non-compliance to businesses, after which they have 30 days to remediate the violations or other issues impeding their compliance.