CCPA compliance requirements

In our post on data privacy, we somewhat glossed over the California Consumer Privacy Act (CCPA) since it’s mainly to rein in the use and sale of personal information by large companies, such as for advertising purposes. This doesn’t mean the rest are off the hook for CCPA compliance, however.

Let’s look briefly at some of the reasons the CCPA law may apply to you and what it covers.

Do You Need to Prepare for CCPA?

CCPA in California goes into effect January 1, 2020 and applies to for-profit companies that meet at least one of the following criteria:

  • Has an annual gross revenue of $25 million or more
  • Buys, uses, sells, or shares the personal information of at least 50,000 consumers, households, or devices within California
  • Receives at least half of its annual revenue by selling consumers’ personal information

While this sounds fairly straightforward, there are wrinkly areas. Here are just a few cases in which you should, or you must, be able to show CCPA compliance:

  • You supply goods or services to a company that is required to comply with CCPA, or have a contract with one, or otherwise do business with one.
  • You fall under one of the rules above but you’re not based in California, nor do you have a physical location in California.
  • You fall under one of the rules above but you’re a B2B company that doesn’t collect data about individuals.
  • You fall under one of those rules above but you’re a company that de-identifies data collected about individuals, such as for statistical purposes.

What If These Don’t Apply to You?

CCPA: California MapFurthermore, here are some very good reasons you should comply with CCPA law, even if none of this applies to you right now:

  • You have a website that is able to be visited by California residents, and you collect data about those site visitors or their devices
  • You hope to someday have revenues of $25 million or more (#likeaboss)
  • You hope to someday have 50,000 or more customers/users in California
  • You hope to someday supply goods/services to a company required to comply with CCPA
  • You hope to someday sell your business to, or merge with, a company required to comply with CCPA.

Like other data privacy laws, what CCPA considers personally identifiable information is pretty broad and includes IP addresses, browser cookies, and clickstreams in addition to physical or email addresses and other obviously identifying data. (It does not cover personal health information already subject to HIPAA privacy laws, as no one is using that data for sales/marketing without permission of the individual, or at least that’s the idea.)

While who and what constitutes an individual consumer or device may be pretty easy to understand, CCPA includes household data too, which is rather less defined.

And, as mentioned, CCPA law requires covered companies to make sure any third-party suppliers or service providers are also in compliance. This means if a telecom company hires you to cater an office lunch, or you’re a promotional items company making 500 polo shirts with the logo of a big social media company – tag, you’re it.

Even if you aren’t in California and don’t sell to or deal with anyone in California, keep in mind there are many states that have passed or are discussing similar data privacy laws. You might still want to brush up on your ABCs and think of CCPA requirements as a practice test.

Understanding the CCPA Requirements

“There’s much more than just storage and software at work here. There are massive policy implications and massive changes to websites that are going to need to happen,” said Jon Calmes, our VP of Business Development, on a recent webinar.

While CCPA covers similar ground as the GDPR, it is more specific on data breaches. If private data is breached or exposed, you’re toast. Even if encrypted data is leaked, you’re toast if there’s any potential that the encryption keys or metadata leaked. The minimum fine is $2,500 per record. If you can’t address the issue quickly, that goes up. If it’s found that a breach is due to a known issue, such as a problem you ignored, that can go up to $7,500 bucks per record.

As with GDPR, the right to be forgotten is the main difficulty from the perspective of IT management, and CCPA adds some interesting twists. For example if a consumer requests you delete their data, there are some exceptions, such as data you need in order to complete your business with that individual. If you need to mail them a product they’ve paid for, or keep track of their purchase history for tech support purposes, you do not need to grant their request. And if you are under obligation for some legal reason to keep their data, you do not need to grant their request.

CCPA LawAnother nuance is a customer can permit you to keep their data, but not share it with, or sell it to, any third parties. To comply with this you’ll need to manage files based on these varying requests, perhaps in separate repositories based on the customer’s preference or by flagging or tagging it as either ‘do not share’ or ‘okay to share.’

A consumer can request access to their data, or removal of their data, up to the prior 12 months. So while the law doesn’t take effect until January 2020, technically it covers data beginning in January 2019, which means the time to start complying with CCPA law is…six months ago.

How Does Aparavi Help?

We have more details on our data privacy features here, but as you may have noticed we’re slightly obsessed with enabling users to organize their files. These features help you comply with the right to be forgotten, protect private data, manage similar data in different ways, or different data in similar ways.

We give you the ability to classify and categorize data with tags so it can be managed and found. We allow full-text content search so you can locate and retrieve data, without having to know where it’s physically stored.

As always, if we can be of help, give us a call!

Request a Demo