COMPLIANCE

California Consumer Privacy Act (CCPA) Compliance

Schedule

ccpa

In the 21st century, we share and store our most sensitive personal information on phones, computer workstations, and cloud-based services and computers. Today more than ever, a strong privacy and personal data security program is essential to the safety and welfare of the people of California and to our economy.

What is the CCPA?

The California legislature unanimously approved and enacted the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. The CCPA is arguably the most far-reaching data protection law ever enacted in the United States. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.

Key Provisions of California Data Privacy Law 2018

  • Consumers’ right to know and access personal data
  • Right to Deletion
  • Right to Opt-Out / Opt-In
  • Right to Equal Service
  • Privacy Policy Requirements
  • Disclosure Requirements
  • GLBA/HIPAA/Research/Legal Exceptions

Schedule A
Consultation

RSI Security is a full service CCPA Compliance Assessor and Advisory company that is uniquely positioned to assist you in meeting the CCPA requirements, protect personal data as well as honor consumers’ rights as per california privacy law.

RSI Security can evaluate your organization’s data privacy and security policies, procedures, and security controls to regulate the processing of personal data and prevent data breaches. We will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit.

pexels-photo-6766628.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2

Our CCPA Compliance Services

shield

Personal Data Mapping and Inventory

shield

Privacy by Design Program

shield

Privacy Impact Assessment

shield

Incident and Data Breach Response Planning

shield

Network Penetration Testing

shield

Vulnerability Scanning

shield

Enterprise Privacy Risk Assessment

shield

Personal Data Security Awareness and Training

shield

CCPA Audit and Assessment Services (covering required and addressable technical, physical, and administrative safeguards for the personal data environment)

Value and Benefits of Being CCPA Compliant

  • Increased Customer Trust and Organizational Reputation
  • Increased Personal Data Protection
  • CCPA Audit-Ready and Secure Personal Data Environment
  • Personal Data Security Risk Management
  • Implementation of Information Security Program
  • Effective Incident Response Planning

Who is Required to Comply with the CCPA?

As per the California consumer privacy act text, CCPA Data Privacy Act applies to for-profit businesses that do business in California and fall into one or more of the following categories:

Have annual gross revenue of more than US$25 million derived from or attributable to the state of California (Cal. Rev. & Tax. Code [section] 17942(a)) 

Collect, buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more residents, households or devices annually.

Derive 50 percent or more of annual revenues from selling consumers’ personal information.

Service providers and entities that control or are controlled by such a business and share common branding with that business will also be held accountable.

CCPA is applicable regardless of the size of the organization i.e. sole proprietorships, partnerships, LLCs, corporations, and other organizations that transact in CA and either collect, sell, purchase, or receive consumers’ personal data.

Does your business meet CCPA compliance?

To meet CCPA Compliance requirements, a business must actively uphold the four primary rights guaranteed by the Act:

  • The right to know – Consumers in California have the right to know what data is collected from them. This includes the kinds of information, the amount thereof, and how the data is being collected; it also includes the reasons that data is being collected, such as the ways in which the data will be used or shared with third parties.

  • The right to delete – Consumers in California have the right to request the deletion of their personal data collected by a business. Unless the request meets one of a select few exceptions, such as failure to verify the request, the business must honor it.

  • The right to opt out – Consumers in California have the right to opt out from the sale of their personal data. Unless an exception like an overriding legal obligation applies, the business must cease such data sales until the consumer electively opts in again.

  • The right to non-discrimination – Consumers in California have the right to fair treatment from service providers whether or not they exercise their rights to know about, delete, or opt out from data collection. If an individual requests notice or deletion, or opts out, a business cannot refuse them services or change pricing on contracts.

    Upholding these rights requires implementing robust visibility and reporting infrastructure—along with third-party controls—to enable swift, accurate, and seamless reporting on data activities. They also empower timely deletion of information when California residents request it. Our CCPA consulting experts will help you streamline these efforts for compliance.

How to Become CCPA Compliant

To maintain CCPA compliance, your business needs to:

  • Develop, publish, and update a privacy policy detailing the controls in place to maintain compliance. Updates must occur at regular intervals no more than 12 months apart.

  • Monitor data privacy and integrity; keep up-to-date records of all uses, processes, or transactions impacting personal information collected from residents of California.

  • Provide notice to consumers before information is collected, or at the point of collection, including what kind of information, how much, and how it is to be used by the business.

  • Make information about personal data collection available to consumers from whom data has been collected—including all information provided in notices at or before collection.

  • Make information about exercising CCPA rights available to consumers from whom data has been collected, including information about how to opt-out or request data deletion.

  • Facilitate consumers’ ability to exercise their CCPA rights with an easily accessible opt-out page on your website—also known as a “Do Not Sell My Personal Information” page.

Installing robust monitoring and reporting infrastructure makes it easier to track what data is collected and how it is being used, which facilitates seamless notification and data access.

WORK WITH US

Your CCPA Compliance Partner

We are knowledgeable and experienced in providing compliance audit, assessment, and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA, and GDPR.

Our experienced consulting team consists of:

shield

Qualified Information Security Assessors (QSA)

shield

Project Management Professionals (PMP)

shield

Certified Information Systems Auditors (CISA)

shield

Certified Information Systems Security Professionals (CISSP)

What Does the CCPA Cover?

Personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal information includes traditional identifiers (e.g. name, postal address, email address, Social Security number, and driver’s license or passport numbers), as well as unique personal identifiers (e.g. biometric information, IP address, internet browsing or search history, and geolocation data).

Penalties for non-compliance with CCPA

Companies that commit intentional violations are subject to penalties of up to $7,500 per violation.

Companies that commit an unintentional violation and fail to remediate within 30 days of receiving notice are liable for up to $2,500 per violation

Companies that experience data theft / data security breaches can be ordered in a civil class action to pay statutory damages between $100 to $750 per CA employee per incident or actual damages, whichever is greater, and any other relief a court deems proper.

vciso-monitoring

Why Choose RSI Security for CCPA Compliance Services?

RSI Security has helped businesses in every industry prepare for, achieve, and maintain CCPA compliance since the act was passed in 2018 and became effective in 2020.

Our CCPA consulting experts have experience in data privacy and integrity monitoring and will install robust visibility and reporting infrastructure that operates efficiently alongside other cyberdefense initiatives. We’ll work with your internal team to rethink regulatory and cybersecurity controls, maximizing security ROI.

Schedule an appointment today to speak with one of our CCPA consultants.

The CCPA was passed on June 28, 2018. It officially went into effect on January 1, 2020. In November of 2020, amendments to the CCPA, collectively called the California Privacy Rights Act, were passed. These are set to come into effect on January 1, 2023.

The CCPA is currently in effect. The full force of its amended form, with the CPRA, has yet to come into effect. However, the lookback period requires businesses to prepare information 12 months prior to the official effective date of the CPRA on January 1, 2023—which means that California residents have the right to request information about the collection of their personal data and its use dating back to January 1, 2022.

The CPRA extends the protections of the CCPA. It is intended to give consumers greater visibility and control over the ways in which their data is collected and used, including requests for partial limitations or other changes to those usages (in addition to full-scale opt-outs or requests for deletion). It also makes businesses accountable for security incidents impacting personal data and sets the groundwork for consumers to share the benefits of data sales.

The CCPA protects consumers living in California by providing them greater visibility and control over the collection and use of their personal data—both by the companies that collect it and by any other entities with whom they share it.

As an extension of the four rights detailed above, the seven rights CCPA guarantees are:

  • The right to be notified at or before the point of data collection
  • The right to access information about data collected from them
  • The right to opt out from data collection, before or during collection
  • The right to opt into data collection (for minors or their parents)
  • The right to request the deletion of data collected from them
  • The right to know about and be informed of their CCPA rights
  • The right to exercise rights without price or service adjustment

Businesses subject to the CCPA are required to disclose:

  • The categories of data collected from a consumer
  • The categories of sources used to collect data
  • The purposes for the collection (intended uses)
  • The categories of third parties that share the data
  • The categories of data that is sold, and to whom
  • The categories of data disclosed but not sold, and to whom
  • The specific pieces of data collected about a given consumer

The CCPA applies to for-profit businesses in California that meet one of the following criteria:

  • Businesses with a gross annual revenue of at least $25 million
  • Businesses that process data of at least 50 thousand Californians
  • Businesses that derive at least 50% of their revenue from processing Californians’ data

Any business that meets one of the criteria above, regardless of size (i.e., number of employees), may be subject to the CCPA.

Violations under the CCPA are wide-ranging. They include but are not limited to failure to provide required notices or access to information, failure or refusal to satisfy opt-outs or eligible requests for deletion, and failure to maintain a CCPA-compliant Privacy Policy.

The CCPA may apply to businesses located outside of California if they meet the criteria for collecting 50 thousand Californians’ data or deriving 50% of their revenue from said data. 

The CCPA is enforced by the Office of the Attorney General (OAG) of California. It sends notices of non-compliance to businesses, after which they have 30 days to remediate the violations or other issues impeding their compliance.

Data Privacy by Location

North America
North America
north america

canada

Canada

california

California

utah

Utah

colorado

Colorado

virginia

Virginia

connecticut

Connecticut

information

Click the
plus
button to expand

Global

North America

California

Colorado

Connecticut

Virginia

Utah

Canada

Europe

Select
x

Europe

The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights of data subjects in the European Union. It ensures transparency in communication and accessible modalities for data subjects to exercise their rights, which include: information about and access to personal data; rectification and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO) or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated as their supervisory authority.

The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents. If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely consequences, and what measures are being taken to mitigate them, among other details.

Download Our UE GDPR Whitepaper
CUSTOMERS

Organizations that trust RSI Security

samsung
Major_League_Baseball
Epic
PowerDigital_SecondaryLogo_Transparent_Black_67181
cisco-impact
Workwave-1
sandag
tarleton-state-university-logo-freelogovectors.net_
Rady_Childrens_Hospital_logo.svg
Seal_of_Beverly_Hills_California.svg
century-club-sd

CCPA took effect on January 1, 2020. Businesses must take steps now to ensure compliance and avoid costly data-breach-related litigation and damage to business reputation.