It’s been three years since the California Consumer Privacy Act (CCPA) came into effect, marking improved security and data privacy for individuals both inside and outside of California.
However, just because the law has been in effect, it doesn’t mean that all organizations are actively complying with the statutes. Whether an organization has been working toward compliance or has now reached a business stage where the rule applies to them, all organizations that fall under the CCPA need to do the work in order to keep their customers’ data safe in a changing threat landscape.
What Is CCPA?
The CCPA, which went into effect January 1, 2020, attempts to put more power in the hands of California consumers by giving them certain rights in terms of how companies process their personal information, including:
- The right to know what personal information a business collects, uses, shares, and sells
- The right to delete personal information on file with a covered company
- The right to opt-out of the sale of personal information
- The right to non-discrimination in pricing or services when consumers exercise their rights under CCPA
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
The act comes with teeth in the form of statutory damages, which range from $100 to $750 per consumer, per incident. CCPA also provides consumers with the right to pursue private action for data breaches, meaning they can sue a business for statutory damages when it fails to prevent unauthorized access, disclosure, or theft of personal information. Furthermore, beyond the statutory damages, the maximum penalty for a CCPA infraction is $7,500 for intentional violations and $2,500 for those deemed unintentional.
The CCPA applies to businesses with more than $25 million in annual revenues, entities that process personal information of 50,000 or more people annually, and organizations that earn 50% or more of their annual revenue from selling California residents’ personal information. This means that even if the organization isn’t based in California, it can still be subject to the law’s requirements.
How Does an Organization Achieve CCPA Compliance?
The first step to achieving compliance is to understand what the data is that the law applies to.
According to the regulations, personal information pertains to “information that identifies, relates to, or could reasonably be linked with you or your household.” Sensitive personal information refers to “specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.”
For an organization, understanding the information they store and possibly transmit is the first critical step in understanding, and maintaining CCPA compliance, especially since the law applies to a broad swath of consumer data.
In addition to both understanding how private data is stored and transmitted, organizations need to act to make sure that data is protected. Whie one part of that is creating privacy policies and notifying customers of these privacy policies, many parts happen behind the scenes within an organization’s cybersecurity architecture.
Arctic Wolf recommends following these best practices from the Center for Internet Security:
- Implement penetration and vulnerability testing to help uncover security gaps before they become a pathway for an attack.
- Monitor network activity to help discover the exfiltration of large blocks of data, indicative of a breach.
- Complete routine patches and software updates to minimize the potential for an attack.
- Limit employee access to only data needed to perform their role to help limit exposure to California resident data and, therefore, the potential for its compromise.
How Arctic Wolf Can Help Your Organization Achieve CCPA Compliance
Arctic Wolf has helped thousands of customers achieve compliance by consistently scanning and monitoring environments, prioritizing and adding context to vulnerabilities and threats, preventing unnecessary access, and helping organizations better understand their own networks, systems, and assets.
Learn more about our compliance work.
Explore the Arctic Wolf cybersecurity compliance guide.