The California Consumer Privacy Act (CCPA), is a bill that enhances privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018. The CCPA becomes effective on January 1, 2020. The CCPA act provides residents in California with a right to know what data is collected about them, provide or withdraw consent for use of their data by other companies, access their data at any given time.
Key Facts about CCPA
Date when CCPA comes into effect
Penalty for each intentional violation
Applies to any company doing business in California with revenues above $25 million
Key Considerations with CCPA
Personal Information Access
CCPA provides the right for an individual to request from businesses on what personal information they have collected about and for what purposes the information is used. Businesses are required to report if the information has been shared with 3rd parties.
Data Subject Rights
CCPA provides consumers with an ability to "opt-out" from providing consent on the use of personal information with a business or sharing that with a 3rd party. CCPA also provides the right to be forgotten. Any individual can request a business to delete personal information stored in their systems. Right to be forgotten is a complex problem for businesses storing multiple levels of customer data
GDPR also elaborates on data security requirements to protect personal data, including measures for pseudo-anonymization, efforts to ensure integrity, the confidentiality of processing systems and ensuring access to personal data in case of a system failure or physical event
Opt-in for Children
Businesses will be required to collect opt-in for children under the age of 16. For children that are under 13, the opt-in must be collected from a parent or guardian
"The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Different levels of consent are needed for different situations under the CCPA. For example, consumers may opt out of consenting to the sale of their personal information by a business. Additionally, third parties that receive PI through a purchase must provide consumers with notice and an opportunity to opt out of further sales before selling that information
Not every company is classified as a business. The law defines a “business” as a legal entity that collects consumers’ personal information and has revenues over $25 Million or buys, receives or shares personal information of 50,000 or more consumers, households
How can Privacera help?
Deep Data Discovery and Classification
Privacera discovery solution can continuously scan and identify for personal data as defined by CCPA. Privacera leverages machine learning and natural language processing to precisely identify sensitive data and update the metadata in a centralized store. This information can be used by other applications which need to know what data is stored where.
Privacera provides automated tools to delete or anonymize personal information in a cloud storage or a database to address data subject requests for deletion ("right to be forgotten"). Privacera uses the internal metadata to accurately find a specific information and remediate as per business policies.
Purpose and Consent based access governance
Privacera access management suite enables fine grained, row and column level access control to data in the cloud. Privacera can include dynamic condition checks such as purpose of data access or existing consent to control what data an internal or an external user can see