CCPA Enforcement Has Now Begun. Are You Ready to Handle DSAR Requests?

While the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, enforcement only began on July 1, 2020. Are you ready to handle DSAR (data subject access rights) requests? If you’ve already been compliant with GDPR, you may not need to do much more work to become CCPA compliant. According to a survey published by Ethyca and TechGC, 56% of general counsel believe their organizations are not prepared for coming data privacy regulations, including the CCPA. If you are still struggling to become CCPA and GDPR compliant, Aparavi is here to help.

The big business of consumer data is currently one of the most lucrative businesses in the world—just look at companies like Google, Facebook, Twitter, and Instagram. However, due to security breaches, compromised personal data, and the continued misuse of consumer information, data privacy regulations have emerged to ensure companies are properly protecting personally identifiable information (PII). The European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two such data privacy regulations that are particularly difficult to comply with, because they require enforcement of “the right to be forgotten” or “the right to delete.”

Since the CCPA was enacted in January, many organizations have struggled to adhere to the regulations and handle consumer requests for information or deletion of data, known as data subject access rights (DSAR) requests. In this article, we explore the challenges of CCPA compliance and discuss how Aparavi’s powerful data intelligence and automation platform can save your organization time and millions of dollars in fines.

What is the CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, but enforcement was delayed until July 1, 2020, to give more companies time to comply with the new regulation. The California Attorney General (AG) will start to enforce the CCPA by issuing notices to violators, after which they will have a 30-day period to cure their violations. After the 30-day period, the AG may seek penalties of up to $2,500 per violation, or up to $7,500 per intentional violation, subject to his discretion. Violations can quickly multiply to millions of dollars in fines, depending on the number of consumers who are implicated. Consumers also have a private right of action, when personal information is wrongfully disclosed under the CCPA.

The CCPA is designed to protect the privacy interests of California state residents, by regulating companies that sell or maintain those residents’ personally identifiable information (PII) or otherwise put their PII at risk. Under the CCPA, PII might include social media data, addresses, phone numbers, names, location, or consumer information that was collected by third party companies.

Under the CCPA, California consumers are ensured:

  • The right to know
  • The right to delete
  • The right to opt-out
  • Rights for minors
  • The right to non-discrimination

Like the GDPR, the CCPA gives California residents the right to inquire what information has been collected about them and request the deletion of that data. Residents also have the right to opt out of the sale of their personal information at any time. Companies will also be required to provide a link to their privacy policy on their website, with more information on the types of data they collect (and why) and notify consumers in the event of a security breach or leak. Companies are prohibited from selling the personal information of any minor under the age of 16 without a parent’s consent (and they cannot sell the personal information of children under the age of 13 at all). Businesses will not be able to penalize consumers for refusing usage of personal information.

A for-profit company that has any presence in California must be able to show CCPA compliance, if that company:

  • Has an annual gross revenue of $25 million or more
  • Annually buys, sells, receives, or shares the personal information of at least 50,000 consumers, households, or devices within California
  • Derives at least 50% of its annual revenue by selling consumers’ personal information

A number of categories of businesses are explicitly exempted from CCPA compliance, including certain industries covered by federal regulations, but there are other instances where the CCPA might apply to your company, even if you don’t meet one of the above requirements (see our blog, California Consumer Privacy Act: Your Questions Answered, for more information, or Attorney General Becerra’s Press Release on the topic).

Even if the CCPA does not apply to our organization right now, you may consider complying if your company has a website that is able to be visited by California residents, and you collect data about those residents or their devices, or you plan to grow into a company (or merge with one) that meets any of the above requirements. In addition, the GDPR may apply to your organization, even if the CCPA does not. Furthermore, other states have already begun to enact their own versions of privacy laws modeled on the CCPA, and a federal regulation has also been proposed, and it is likely that most American companies will need to comply with these regulations eventually.

Why is the right to delete request so difficult to comply with?

What is PII?

When a consumer submits a right to delete DSAR request, you will need to find all data stored in your organization that is specific to the consumer’s private, financial, or sensitive data types, and then retrieve and remove that information from all storage/servers, including backups and archives.

When locating data for CCPA compliance, you must be aware of the two different types of data that will be part of the requests: PII data and sensitive data. PII includes name, age, email address, phone numbers, and location information like address, city, state, zip code, and country of origin. Examples of sensitive data are religious or political preferences and gender. All relevant data needs to not only be managed but also protected against unauthorized use and security breaches.

This request is difficult to comply with because organizational data is often disorganized and sprawls across multiple disconnected storage systems, lacking visibility and searchability. In addition, even if the data is searchable, there is no way to automate actions with specific rules and conditions. That’s where Aparavi comes in.

Aparavi’s CCPA filters

As the Aparavi Platform (the “Platform”) processes data, a file’s content and metadata is collected and stored in an indexed form, which enables you to find relevant information as efficiently and completely as possible. According to Aparavi’s Chief Information Officer, Rod Christensen, “The Platform simply captures everything about a file.”

Classification policies

This means that all the data an organization needs to find is already in the index. Finding data in The Platform is as easy as applying specific criteria like names, addresses, or phone numbers and finding everything for that user quickly. Smart actions like delete, copy, and cut allow the requested action to be done in the most efficient manner possible.

We’ve also built a classification feature so you can manage specific kinds of data: tag files with PII, tag confidential files, tag files as “potential CCPA,” whatever makes sense to you. We’ve already set up the most useful categories/tags to make it easy to get started.

Aparavi provides users with a quick audit log, which can prove the action was carried out. A future search should prove that data that was requested to be forgotten no longer resides in the system.

How can Aparavi streamline CCPA compliance?

The Aparavi Platform has many tools that any organizations impacted by CCPA need to have in their arsenal to handle complex requests. The Platform’s features include:

  • Predefined CCPA-related classification policies, including both personal and sensitive data policies to collect all the relevant information quickly
  • A best-in-class classification engine that adds classification tags to all files if the metadata of content contains CCPA-specific data
  • Simple, user-friendly content and metadata fields that find all data based on tags, content, metadata, or any combination of these

Increasing amounts of data and data sprawl make information or deletion requests difficult to implement, and many companies are facing major fines for non-compliance. Aparavi’s find features and pre-built classification policies make it easy to handle right to delete requests, potentially saving your company millions in fines or litigation. Schedule a call today to learn how Aparavi can help your organization become CCPA compliant.