COMPLIANCE

California Consumer Privacy Act (CCPA) Compliance

Schedule

In the 21st century, we share and store our most sensitive personal information on phones, computer workstations, and cloud-based services and computers. Today more than ever, a strong privacy and personal data security program is essential to the safety and welfare of the people of California and to our economy.

What is the CCPA?

The California legislature unanimously approved and enacted the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. The CCPA is arguably the most far-reaching data protection law ever enacted in the United States. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.

Key Provisions of California Data Privacy Law 2018

Consumers’ right to know and access personal data
Right to Deletion
Right to Opt-Out / Opt-In
Right to Equal Service
Privacy Policy Requirements
Disclosure Requirements
GLBA/HIPAA/Research/Legal Exceptions

Schedule A
Consultation

RSI Security is a full service CCPA Compliance Assessor and Advisory company that is uniquely positioned to assist you in meeting the CCPA requirements, protect personal data as well as honor consumers’ rights as per california privacy law.

RSI Security can evaluate your organization’s data privacy and security policies, procedures, and security controls to regulate the processing of personal data and prevent data breaches. We will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit.

pexels-photo-6766628.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2

Our CCPA Compliance Services

Personal Data Mapping and Inventory

Privacy by Design Program

Privacy Impact Assessment

Incident and Data Breach Response Planning

Network Penetration Testing

Vulnerability Scanning

Enterprise Privacy Risk Assessment

Personal Data Security Awareness and Training

CCPA Audit and Assessment Services (covering required and addressable technical, physical, and administrative safeguards for the personal data environment)

Value and Benefits of Being CCPA Compliant

Increased Customer Trust and Organizational Reputation
Increased Personal Data Protection

CCPA Audit-Ready and Secure Personal Data Environment
Personal Data Security Risk Management

Implementation of Information Security Program
Effective Incident Response Planning

Who is Required to Comply with the CCPA?

As per the California consumer privacy act text, CCPA Data Privacy Act applies to for-profit businesses that do business in California and fall into one or more of the following categories:

Have annual gross revenue of more than US$25 million derived from or attributable to the state of California (Cal. Rev. & Tax. Code [section] 17942(a))

Collect, buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more residents, households or devices annually.

Derive 50 percent or more of annual revenues from selling consumers’ personal information.

Service providers and entities that control or are controlled by such a business and share common branding with that business will also be held accountable.

CCPA is applicable regardless of the size of the organization i.e. sole proprietorships, partnerships, LLCs, corporations, and other organizations that transact in CA and either collect, sell, purchase, or receive consumers’ personal data.

Does your business meet CCPA compliance?

To meet CCPA Compliance requirements, a business must actively uphold the four primary rights guaranteed by the Act:

The right to know – Consumers in California have the right to know what data is collected from them. This includes the kinds of information, the amount thereof, and how the data is being collected; it also includes the reasons that data is being collected, such as the ways in which the data will be used or shared with third parties.
The right to delete – Consumers in California have the right to request the deletion of their personal data collected by a business. Unless the request meets one of a select few exceptions, such as failure to verify the request, the business must honor it.
The right to opt out – Consumers in California have the right to opt out from the sale of their personal data. Unless an exception like an overriding legal obligation applies, the business must cease such data sales until the consumer electively opts in again.
The right to non-discrimination – Consumers in California have the right to fair treatment from service providers whether or not they exercise their rights to know about, delete, or opt out from data collection. If an individual requests notice or deletion, or opts out, a business cannot refuse them services or change pricing on contracts.
Upholding these rights requires implementing robust visibility and reporting infrastructure—along with third-party controls—to enable swift, accurate, and seamless reporting on data activities. They also empower timely deletion of information when California residents request it. Our CCPA consulting experts will help you streamline these efforts for compliance.

How to Become CCPA Compliant

To maintain CCPA compliance, your business needs to:

Develop, publish, and update a privacy policy detailing the controls in place to maintain compliance. Updates must occur at regular intervals no more than 12 months apart.
Monitor data privacy and integrity; keep up-to-date records of all uses, processes, or transactions impacting personal information collected from residents of California.
Provide notice to consumers before information is collected, or at the point of collection, including what kind of information, how much, and how it is to be used by the business.
Make information about personal data collection available to consumers from whom data has been collected—including all information provided in notices at or before collection.
Make information about exercising CCPA rights available to consumers from whom data has been collected, including information about how to opt-out or request data deletion.
Facilitate consumers’ ability to exercise their CCPA rights with an easily accessible opt-out page on your website—also known as a “Do Not Sell My Personal Information” page.

Installing robust monitoring and reporting infrastructure makes it easier to track what data is collected and how it is being used, which facilitates seamless notification and data access.

WORK WITH US

Your CCPA Compliance Partner

We are knowledgeable and experienced in providing compliance audit, assessment, and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA, and GDPR.

Our experienced consulting team consists of:

Qualified Information Security Assessors (QSA)

Project Management Professionals (PMP)

Certified Information Systems Auditors (CISA)

Certified Information Systems Security Professionals (CISSP)

What Does the CCPA Cover?

Personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal information includes traditional identifiers (e.g. name, postal address, email address, Social Security number, and driver’s license or passport numbers), as well as unique personal identifiers (e.g. biometric information, IP address, internet browsing or search history, and geolocation data).

Penalties for non-compliance with CCPA

Companies that commit intentional violations are subject to penalties of up to $7,500 per violation.

Companies that commit an unintentional violation and fail to remediate within 30 days of receiving notice are liable for up to $2,500 per violation

Companies that experience data theft / data security breaches can be ordered in a civil class action to pay statutory damages between $100 to $750 per CA employee per incident or actual damages, whichever is greater, and any other relief a court deems proper.

Why Choose RSI Security for CCPA Compliance Services?

RSI Security has helped businesses in every industry prepare for, achieve, and maintain CCPA compliance since the act was passed in 2018 and became effective in 2020.

Our CCPA consulting experts have experience in data privacy and integrity monitoring and will install robust visibility and reporting infrastructure that operates efficiently alongside other cyberdefense initiatives. We’ll work with your internal team to rethink regulatory and cybersecurity controls, maximizing security ROI.

Schedule an appointment today to speak with one of our CCPA consultants.

When did CCPA go into effect?

The CCPA was passed on June 28, 2018. It officially went into effect on January 1, 2020. In November of 2020, amendments to the CCPA, collectively called the California Privacy Rights Act, were passed. These are set to come into effect on January 1, 2023.

Is CCPA still in effect?

The CCPA is currently in effect. The full force of its amended form, with the CPRA, has yet to come into effect. However, the lookback period requires businesses to prepare information 12 months prior to the official effective date of the CPRA on January 1, 2023—which means that California residents have the right to request information about the collection of their personal data and its use dating back to January 1, 2022.

What is the difference between CCPA and CPRA?

The CPRA extends the protections of the CCPA. It is intended to give consumers greater visibility and control over the ways in which their data is collected and used, including requests for partial limitations or other changes to those usages (in addition to full-scale opt-outs or requests for deletion). It also makes businesses accountable for security incidents impacting personal data and sets the groundwork for consumers to share the benefits of data sales.

How does the CCPA protect customers?

The CCPA protects consumers living in California by providing them greater visibility and control over the collection and use of their personal data—both by the companies that collect it and by any other entities with whom they share it.

What are the 7 rights given to consumers by the CCPA?

As an extension of the four rights detailed above, the seven rights CCPA guarantees are:

The right to be notified at or before the point of data collection
The right to access information about data collected from them
The right to opt out from data collection, before or during collection
The right to opt into data collection (for minors or their parents)
The right to request the deletion of data collected from them
The right to know about and be informed of their CCPA rights
The right to exercise rights without price or service adjustment

What are the CCPA required disclosures?

Businesses subject to the CCPA are required to disclose:

The categories of data collected from a consumer
The categories of sources used to collect data
The purposes for the collection (intended uses)
The categories of third parties that share the data
The categories of data that is sold, and to whom
The categories of data disclosed but not sold, and to whom
The specific pieces of data collected about a given consumer

Which companies does the CCPA affect?

The CCPA applies to for-profit businesses in California that meet one of the following criteria:

Businesses with a gross annual revenue of at least $25 million
Businesses that process data of at least 50 thousand Californians
Businesses that derive at least 50% of their revenue from processing Californians’ data

Does CCPA apply to small businesses?

Any business that meets one of the criteria above, regardless of size (i.e., number of employees), may be subject to the CCPA.

What is a violation under CCPA?

Violations under the CCPA are wide-ranging. They include but are not limited to failure to provide required notices or access to information, failure or refusal to satisfy opt-outs or eligible requests for deletion, and failure to maintain a CCPA-compliant Privacy Policy.

Does CCPA apply to companies outside of California?

The CCPA may apply to businesses located outside of California if they meet the criteria for collecting 50 thousand Californians’ data or deriving 50% of their revenue from said data.

Who enforces the CCPA?

The CCPA is enforced by the Office of the Attorney General (OAG) of California. It sends notices of non-compliance to businesses, after which they have 30 days to remediate the violations or other issues impeding their compliance.