What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) was authorized in 2018 and became effective on January 1, 2020, to prevent the data breaches resulting from unmanaged access controls and privacy management. It has a massive impact on corporate privacy initiatives across all sectors of the technology, media and entertainment, and telecommunications (TMT) industries.
Designed after the European Union (EU)’s General Data Protection Regulation (GDPR), the new regulations give users more data control. Businesses primarily focused on the United States and markets in the Americas largely avoided GDPR’s scope for a long time. Regardless, the alarming incidents of data breach and privacy concerns among consumers and legislatures globally is driving data privacy deployment.
Considered one of the strictest privacy laws in the United States, CCPA allows California residents to control how businesses process their personal information. Businesses will have to respond to requests of California residents to access, delete, and opt out of sharing or selling their information. Additionally, businesses will have to design their privacy programs to comply with CCPA’s prescriptive opt-out measures and overall data protection.
The CCPA Act & Its Objectives
CCPA applies to enterprises operating in California or collecting or processing personal information about California residents. It applies to businesses that meet at least one of the following criteria:
- Generates gross annual revenue of more than $25 million
- Purchases, procures, sells, or shares personal information for 50,000 or more consumers, households, or devices
- Generates at least 50% of its annual revenue from selling consumers’ personal information
Unlike GDPR, CCPA is more focused on compliance, with data protection being a critical component. It focuses on the cybersecurity of the infrastructure storing consumer data. Here, protected data includes any Personal Identifiable Information (PII) that can be used to identify a consumer. CCPA defines personal information as “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Lack of access controls and data security protections could result in huge penalties, so CCPA enforces cybersecurity implementation.
The objective of the Act is to provide consumers with more control over the personal information that businesses collect about them and establishes new privacy rights for California consumers, including:
- The right to know about how companies are handling their personal data
- The right to delete personal data collected by companies
- The right to control who can access their data, mainly with third-parties
- The right to opt-out
How Seclore Can Help Organizations Comply with CCPA
The scope of CCPA includes all personal data processed by businesses based inside the State of California and personal data of California citizens processed by businesses based outside the State.
Implementing and adhering to the “reasonable security procedures and protections” required by the California Consumer Privacy Act (CCPA) protects private or sensitive personal data from unauthorized access. Thus, the scope of CCPA is data-centric in nature. Irrespective of where the information resides — even outside California — it should remain fully private, secure, and monitored. Due to multi-cloud environments, data sharing and third-party collaboration can expose personal consumer data, leading to data breaches and loss. Traditional perimeter-centric security tools fail to secure data in this data-centric manner.
However, Enterprise Digital Rights Management (EDRM) technology can provide persistent, granular, centralized, data-centric controls that secure information wherever it goes. Simply put, EDRM security controls always stay with the data.
This section describes how Seclore can help organizations comply with specific sections and clauses of the CCPA compliance.