Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is the CCPA (California Consumer Privacy Act)?

CCPA Compliance

The California Consumer Privacy Act of 2018 (CCPA), which came into effect on January 1, 2020, is designed to give consumers more control over the personal information that businesses collect about them and provide guidance to companies on how to implement the law. Based on the European Union’s General Data Protection Regulation (GDPR), this landmark law secures new privacy rights for California consumers, including The right to know about the personal information a business collects about them and how it is used and shared; The right to delete personal information collected from them (with some exceptions); The right to opt out of the sale or sharing of their personal information; and The right to non-discrimination for exercising their CCPA rights.

Who is Required to Comply with CCPA?

The CCPA applies to for-profit businesses that collect or process the personal information of California residents and meet one of the following criteria:

  1. Have annual gross revenues of over $25 million;
  2. Buy, receive, sell, or share the personal information of 50,000 or more California consumers, households, or devices; or
  3. Earn more than half of their annual revenue from selling the personal information of California consumers.

What are the CCPA Requirements?

Under CCPA rules, businesses have 45 days to respond to any consumer request. They are required to provide California consumers with the right to

  1. Know what personal information is being collected about them (Right to Disclosure).
  2. Access the personal information that has been collected from them (Right to Access).
  3. Request that their personal information be deleted (Right to be Forgotten).
  4. Opt out of the sale of their personal information.
  5. Not be discriminated against for exercising their privacy rights (Right to Fair Treatment).
  6. Receive equal services and price, even if they exercise their privacy rights.
  7. Know the categories of sources from which their personal information is collected.
  8. Know the business or commercial purpose for collecting or selling personal information.
  9. Know the categories of third parties with whom the company shares personal information.

What are the Penalties for Violating CCPA?

If (following an audit) a business receives a notice informing them that they are not compliant, they have 30 days to remediate the issue. A failure to do so could result in civil penalties of up to $7,500 per violation, and users can also seek $750 in damages for each data breach. Companies may also be subject to a criminal penalty of up to $2,500 per violation, although this is rare. A failure to comply with the CCPA could leave companies open to additional lawsuits, which could take years to resolve and cost a lot of money (attorney’s fees and reparations).

CCPA Compliance Checklist

The first steps towards CCPA compliance include performing a risk assessment, hiring relevant professionals, and creating an inventory of your infrastructure. You will also need to ensure that you have covered the following keys points:

  1. Develop a CCPA compliance strategy, which includes a “do not sell” policy and a “do not track” mechanism.
  2. Create a privacy policy that provides relevant information about the company’s collection, use, and sharing of personal information, as required by the CCPA.
  3. Establish procedures to provide consumers with the right to access, delete, and opt out of the sale of their personal information.
  4. Train employees on CCPA compliance and handling of personal information.
  5. Implement security measures to protect the personal information of consumers.
  6. Implement procedures to help you review and monitor the effectiveness of your compliance strategy.
  7. Update contracts with vendors and service providers to ensure they comply with the CCPA.
  8. Monitor changes in the law and modify the CCPA compliance strategy accordingly.

How does Lepide Help with CCPA Compliance?

The Lepide Data Security Platform provides a number of invaluable tools that can help your organization comply with the CCPA, which include;

CCPA data discovery and classification

In order to adequately protect personal data belonging to Californian citizens and respond to user requests, you first need to know where their data is located. The Lepide solution will automatically scan your file repositories (both on-prem and cloud-based) for CCPA-covered data, and classify it accordingly. This will make it easier to quickly locate user records, as well as assign the appropriate access controls in order to prevent unauthorized access.

Real-time auditing of CCPA-covered data

The Lepide platform uses machine learning models to identify anomalous user activity and will deliver real-time alerts to your analyst’s inbox or mobile device when suspicious changes to CCPA-covered data are detected. Via the Lepide dashboard, you can see which users have access to personal data, and make changes to their permissions if they are deemed excessive. The platform also makes it easy to identify open shares and clean up stale data and redundant user accounts.

Comprehensive compliance reports

In order to comply with the CCPA, it is imperative that you are able to promptly demonstrate your compliance efforts to the relevant authorities. Using the Lepide platform you can easily generate detailed compliance reports that are customized to meet the requirements of the CCPA.

If you’d like to see how the Lepide Data Security Platform can help you comply with the CCPA, schedule a demo with one of our engineers.