The California Consumer Privacy Act (“CCPA”) came into force in 2020 and, since then, plenty of organizations have received notifications from the California attorney general about their data security practices.
In this blog, we’ll take a look through some of the most recent enforcements, so that your company can make sure it doesn’t fall into the same trap that these organizations did. At the end of the blog, we’ll also give you some handy advice on the tools and processes to put in place to ensure your meeting the requirements of the CCPA and other data privacy laws like the GDPR.
First things first: what’s the CCPA?
If you’re a little confused about what the CCPA is and whether it’s relevant to you, you’re not alone. Research indicates that over a third of business leaders don’t feel knowledgeable about the regulation. So, let’s demystify things a little.
In essence, the CCPA is a regulation that gives California residents more rights over their personal data: personally identifiable information (PII) or protected health information (PHI).
Under the regulation, California citizens have the following rights to:
- Access their personal data
- Understand what data about them a company uses, stores or shares
- Prohibit companies from selling their data
- Ask for businesses to delete their information
The CCPA applies to your organization if you use, store or transfer any personal data relating to citizens in California, and you meet the following requirements:
- Achieve a revenue of at least $25 million per year
- 50% of your revenue is obtained from selling personal data
- You process the data of more than 50,000 individuals for commercial usage
What has happened since CCPA came into effect?
Since 2020, a huge number of companies have faced the ramifications of failing to comply with the CCPA. The impact of non-compliance tends to fall into two buckets: class-action lawsuits and direct contact from the attorney general.
Below, we’re going to focus on the most recent direct handouts from the attorney general – but it’s worth noting that class action lawsuits are a huge part of the CCPA too. You see, under the CCPA, consumers whose personal information has been stolen or unlawfully compromised have the right to sue.
In late 2020, for example, children’s clothing retailer Hanna Andersson agreed to pay $400,000 in light of a data breach that occurred in 2019.
But, that’s a story for another day. For now, here’s everything you need to know about some of the most recent CCPA violations we can learn from:
- Media company: This organization didn’t include the pivotal opt-out clause for the sale of consumers’ personal information.
- Mobile game: This company failed two abide by the CCPA in two ways. Firstly, it sold citizen data to third parties without permission – and without an opt-out option. Moreover, as the company processed the data of minors, it needed to implement a specific opt-in request for children and young adults.
At the time of writing, no fines have been handed out in these cases. Each business managed to remediate its violations within the 30-day statutory cure period that’s part of the regulation.
CCPA enforcements will only get tougher
Research shows that there were 78 total filings in 2020, which soared to 110 total filings in 2021. We expect that filings will increase again this year.
At the same time, we need to remember that the CCPA’s more robust, stringent sister – the CPRA – will come into effect in 2023. On top of the regulations in the CCPA, the CPRA gives consumers the right to:
- Edit and update personal information that is inaccurate
- Limit how companies use and disclose data about them
The new bill also puts increasing demands on organizations to put special controls in place to protect highly sensitive personal information like social security numbers and biometric data.
All of this means that it’s more important than ever for organizations to improve their data security and data privacy processes – and invest in the right tools.
DLP: the secret to successful compliance initiatives
Achieving compliance for a myriad of data privacy regulations can seem impossible – but there are tools out there to help you meet your requirements quickly and cost-effectively.
Whether you need to comply with HIPAA, GDPR, CCPA, GBLA or another state regulation, it’s a wise idea to turn to data loss prevention (DLP).
DLP works by discovering, classifying and controlling sensitive data as it moves across your organization. New-age solutions also extend these capabilities to the cloud, so that you can protect data in SaaS applications like Slack, Teams and Google Workspace.
Our DLP solution for SaaS, for example, becomes your virtual compliance officer, automatically and accurately preventing the theft and leakage of PII and PHI across your cloud applications.
With our plug-and-play solution, you can:
- Protect data anywhere and everywhere: Harness the power of AI to discover, monitor and protect regulated data in the cloud. With in-built auditing and reporting, you’ll always know where your sensitive data is.
- Automatic compliance from the off-set: With pre-loaded templates for well-known regulations like GDPR and CCPA, our solution takes the stress out of compliance out of your hands. Once deployed, our engine quickly gets to work, scanning your cloud apps for personal information on taking the appropriate action to secure it in line with compliance mandates.
- Create a culture of compliance: Human error is a big compliance risk. Effective training is therefore critical to preventing accidental data loss. Our solution integrates prompts into the daily workflow, so your employees learn about compliance and data security in real-time, leading to lasting improvements.