CCPA Academy: Acquire CCPA knowledge with the cybersecurity strategy workshop (half-day program, delivered on-site).
Remediation: Guidance and support to address CCPA gaps to ensure compliance.
On-Demand Consulting (ODC) Advisory Services: Qualified consulting resources and capabilities to assist your efforts to address CCPA.
Managed Cybersecurity Services Program (MCSP): Establish and actively manage a CCPA compliance program.
Cybersecurity Program: Align CCPA mandates in the context of a broader cybersecurity framework such as the NIST Cybersecurity Framework.
CCPA Key Facts
CCPA effective January 1, 2020.
CCPA enforced July 1, 2020.
Privacy right of action for California residents.
Grants new enforcement power to the Attorney General with high damages recoverable.
Who Must Comply?
Any business that collects consumer personal information, does business in the state of California, and satisfies one or more of the following criteria:
Has annual gross revenues in excess of $25,000,000.
Annually receives, alone or in combination, the personal information of 50,000 consumers, households, or devices.
Derives 50 percent or more of its annual revenues from selling consumer’s personal information.
Who & What Data Is Protected?
Californians are not only protected in their roles as consumers, but also as employees, patients, tenants, students, parents, children, etc.
The CCPA expands the definition of “personal information” to include any information that identifies, relates to, describes, is able to be associated with, or could be reasonably linked to an individual or a household.
For example, data such as a household’s utility consumption, an employee’s job description, a mobile phone’s geolocation data, or a web browser’s history and “purchasing tendencies” is protected.
CCPA empowers consumers to find out what information businesses are collecting about them as an individual, devices, and individual’s family, and gives individual the choice to inform them NO.
If a business collects individual’s personal information, then once a year and free of charge they have to tell what categories of information has been collected, about devices and about children.
If a business sells personal information, it must inform what categories of personal information they are selling and then inform you to whom they sold the individual’s personal information.
Under current California law, businesses are required to implement “reasonable security measures” to safeguard Californian’s personal information. Data breach after data breach has shown how unreasonable the state of affairs truly is.
As we have seen with the many breaches of personal information, businesses ignore the current law. The California Consumer Privacy Act increases fines and penalties for violations of existing law so that you can hold businesses responsible for safeguarding your personal information if the business chooses to collect it.
If a business is informed to not share or sell an individual’s private information, the business cannot charge more, deny an individual’s access to services, or change the quality of the service.
If someone doesn’t want a business to sell their information, you can inform by clicking on a link that says “do not sell my data”.
What personal information is being collected about them.
Whether their personal information is sold or otherwise disclosed and to whom.
To say no to the sale of their personal information.
To access their personal information and request deletion under certain circumstances.
To receive equal service and price.
CCPA goes into effect in 2020, and grants California residents new privacy rights.
Enforcement is with the Attorney General.
Proactive Steps to Take
Engage in a data mapping activity that provides information on who in your organization collects personal information.
Incorporate an internationally-recognized framework like the CIS’s 20 Critical Security Controls, NIST’s Cybersecurity Framework, the ISO/IEC series 27001.
Take steps now to encrypt or redact consumer's personal information.
Draft strong written contracts with service providers and vendors.
Consider requesting guidance from the Attorney General before the CCPA goes into effect.
In the News
Decoding CUI: A Highly Valued Data Type and CMMC, ISACA, Ali Pabrai, April 2022
CMMC and CUI: Rocket Fuel, Pabrai Podcast
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.