ccpa compliance guide

The California Consumer Privacy Act (CCPA) is the first of its kind Privacy Act in the country established to secure consumer data. Similar to the GDPR Regulation, the Act which was passed in the year 2018 is a statutory requirement that the organizations operating or running a business in California need to comply with if they fall in the scope of the regulation. With the Act coming to effect, the law makes it harder for businesses to collect and deal with consumer’s personal information than ever before. While the CCPA took effect on January 1, 2020, the enforcement of the Act including the imposition of penalties came into effect only in June. Let us today through this article CCPA Compliance Guide and understand what is the California Consumer Privacy Act and to which organization does this Act applies in the State. 

 

What is the California Consumer Privacy Act(CCPA)?

The CCPA is a law designed to protect the data privacy rights of citizens living in California. The Act gives citizens the right to control the use of their personal information which is collected by organizations for their business. The Consumer Privacy Act includes transparency right that requires companies to inform consumers about the data collected and shared. Further, it grants them the right to access, delete, or opt-out, if they wish to do so. The law has enforced companies to provide more information to consumers about the use of their data and given them control over the usage and sharing of their data. The act ensures that citizens are given a chance to opt-out of having their information used in a way that they disapprove of.

Who does CCPA Affect?

The CCPA law is for all businesses that collect and sell consumer “personal information” for their business.  However, there are a few exemptions that are clearly stated in the law and are highlighted below for your reference. If a company falls under one of the following criteria, the CCPA law will apply to them. 

  • A company that uses, stores and transmits consumer’s personal data and earn $25 million or more in annual revenue, broadly fall under this category. 
  • Possess personal data of more than 50,000 “consumers, households, or devices” or
  • Earn more than half of its annual revenue selling consumers’ personal data.

However, the CCPA does not apply to the following organizations for they already fall under the federal data security law-

  • Health Care Providers and Insurers who fall under HIPAA
  • Banks and Financial Companies covered by the Gramm-Leach-Bliley Act. 
  • Credit Reporting Agencies that fall under the Fair Credit Reporting Act. 

California Consumer Privacy Act Enforcement & Penalties

The California Attorney General will enforce the CCPA Act. However, the CCPA provides for a “private right of action” in case of a breach/theft or disclosure of non-encrypted personal information. Consumers and their private attorneys can bring legal action for statutory damages which can range from anywhere between $100 to $750 per violation or actual damages, whichever is greater. However, it is important to note that consumers need not prove the actual incurred financial loss, but only need to prove that the company has violated the law.  So, companies should be wary of potential litigation or lawsuit against them for being non-compliant.

How can VISTA InfoSec help companies achieve CCPA Compliance?

VISTA InfoSec based in the USA, Singapore, and India has a glorious 16 years of experience in Compliance and Governance for the Information Security Industry.  Our team of Compliance who are industry experts can help organizations take control over CCPA Compliance requirements. We collaborate with the client organization’s IT team to build a comprehensive compliance plan that helps implement privacy controls and manage ongoing compliance effectively. Our team will assess the organization’s readiness to comply with CCPA requirements and accordingly suggest the implementation of industry best practices for achieving compliance objectives. Our team of experienced consultants can review business operations and, identify risks and gaps relative to the requirements of CCPA. Based on our findings and analysis, we then help businesses build a strategy to address issues and achieve Compliance.  

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.