A Guide to Navigating the California Consumer Privacy Act

A Guide to Navigating the California Consumer Privacy Act

September 12, 2018
Dustin Maxey
Director of Product Marketing

First, the EU announced the General Data Protection Regulation (GDPR). Then, there was the Cambridge Analytica and Facebook scandal. Companies like Amazon and Apple have both taken strong stances on privacy in recent years by not sharing their user data with authorities and refusing to create a backdoor into their devices. Privacy is top of mind for consumers and businesses alike. And, now, there’s the California Consumer Privacy Act (CCPA).


The CCPA was passed by the California State Assembly and Senate on June 28, 2018. Its purpose is to give consumers privacy rights and control over their personal information. If you do business in California, you may need to comply with the regulation, which goes into effect on January 1, 2020.

You may be wondering if all of the recent focus on privacy is just the latest trend or if it’s here to stay. Assuming it’s more than simply a passing fad—and I believe it is—you’ll want to have a firm understanding of the basics of good privacy. This is important for all entities, but especially for large enterprises, who could have millions of customers, complex hybrid IT infrastructures or large application portfolios.

To help you better understand this latest addition to the regulatory landscape, I’ll be deconstructing the CCPA here. While there are specific requirements you need to be aware of, compliance is based largely on implementing privacy best practices—which are in your best interest anyway, regardless of the regulatory requirements.

Ready? Let’s dive into the CCPA requirements and discuss how you can shore up your privacy practices now to ensure compliance when the law takes effect in 2020.


What is the CCPA?
According to the CCPA website, the regulation will give consumers new consumer privacy rights to take back control of their personal information. It hopes to achieve three major goals:


Give consumers the right to know what information corporations are collecting
As consumers increasingly engage in digital transactions, their personal data is being collected by a growing number of entities. This data includes the usual information, like name, address and phone number, but it can also include less common personal data, like driving speed, personality traits, location history or sleep habits. The CCPA’s goal in this regard is allowing consumers to know exactly what information is being collected. It also seeks to help consumers understand the many types of data enterprises may collect, which we’ll talk about more in the compliance section.


Give consumers the right to tell a business not to share their data
You’ve probably heard the saying “if you’re not paying for the product, you are the product.” This speaks to the practice of free services and platforms, like Facebook and others, using customers’ personal information as a means to generate revenue, often through sharing or selling that data to partners or other third parties. This practice was illuminated during the Facebook hearings, but it’s not new. The CCPA continues to shine a light on this practice by giving consumers the right to not be “the product” by opting to not have their data shared.


Give consumers protections against businesses who don’t uphold these privacy values
Finally, the CCPA introduces consequences to businesses that aren’t good stewards of customer data or don’t take basic steps to keep that data safe. This includes the imposing of civil penalties for non-compliance.


Who does the CCPA apply to?
The California Consumer Privacy Act doesn’t apply to every business. Specifically, the regulation is aimed at larger enterprises that meet any of the requirements below:

  • Do business in California
  • Have revenue greater than $25 million
  • Collect personal information on more than 50,000 consumers, households or devices
  • Earn 50% or more of revenues by selling consumer information


What are the risks of non-compliance?
As defined in Section 1798.150 of the bill, consumers can recover damages if they’re affected by a data breach. The recovered amount can range from $100 to $750 per consumer per incident or equal actual damages, whichever is greater.

Section 1798.155 states that if the business fails to correct an alleged violation within 30 days, it can be subject to a civil penalty under Section 17206 of the state’s Business and Professions Code, which could be as high as $2,500 for each violation.

In addition to this civil penalty, Section 1798.155 further states that the Attorney General can impose another civil penalty of up to $7,500 for each violation.


How do you ensure compliance with the CCPA?
At its core, the CCPA is being enacted to force bigger businesses to adopt good privacy practices. Those practices center on letting consumers know what information is being collected about them and giving them control over how this data is used. And of course, there are penalties for non-compliance.

While amendments are possible between now and the 2020 effective date, the main requirements outlined in the CCPA legislation as it stands today are summarized here.

Section 1798.100: Inform consumers of data collection
A business has to make consumers aware of the categories of information it’s collecting. If a consumer presents a “verifiable request” for any of their information the business has stored, the business needs to provide it to them. There are also a few stipulations. For example, businesses don’t have to provide information more than twice in a 12-month period. Businesses also don’t need to retain information used for one-time transactions, as long as that information isn’t sold or used to re-identify the consumer or link to them later.

The CCPA allows consumers to request and have insight into specific categories of their personal data. Examples of these categories include:

  • Identifiers: such as a customer’s real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers
  • Commercial information: includes records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information: typically fingerprints or facial recognition profiles
  • Internet or other electronic network activity information: including, but not limited to, browsing history, search history and information regarding a consumer’s interactions with a web site, application or advertisement.
  • Geolocation data: such as GPS data, that tracks a person’s location or location history
  • Professional or employment-related information: such as a person’s job history or professional certifications
  • Inferences: a separate category of data that includes inferences drawn from any of the categories above—or other categories in the CCPA legislation not listed above—to create a profile about the consumer, including preferences, trends, characteristics, psychological profiles and others.

Section 1798.105: Deleting consumer data
A consumer can make a “verifiable request” to have their data deleted, and the company is responsible for letting consumers know that they can make such a request. There are also a few stipulations outlined, such as not having to delete data associated with a transaction requested by the consumer or data that helps detect security incidents.

Section 1798.110: Disclose categories and purpose of data
The consumer can also submit a verifiable request for a company to disclose the categories and specific pieces of personal information that it collects, the categories of sources from which that information is collected, and the business purposes for collecting or selling the information.

Section 1798.115: Disclose the information the business has sold
Businesses will be required to disclose, as a result of a “verifiable request”, the categories and types of data that they’ve sold about the consumer, and to whom the information was sold.

Section 1798.120: Consent to share user data with third parties
A consumer can submit a verifiable request to stop a business from selling their data. Consumers must also be notified of their “right to opt out” by businesses who sell their information to third parties. Also of note, a separate “right to opt-in” is required to sell information about minors. If a business has knowledge that a consumer is under the age of 16, it cannot sell their information without their consent. Minors who are 13 to 16 years old can give their own consent, while minors younger than 13 require the consent of a guardian.

Section 1798.125: No consumer discrimination due to opting out
Businesses are prohibited from discriminating against consumers who have opted out. Businesses may not deny goods or services, charge different prices, provide a different quality of goods and services or engage in other discriminatory behavior.

Section 1798.130: Give consumers options for making requests
Businesses have to give consumers at least two options for submitting verifiable requests as detailed above. At a minimum, the business must provide a toll-free phone number and a website address.

Section 1798.135: Make it clear and conspicuous
With regard to section 1798.120, businesses must “provide a clear and conspicuous link on the business’ Internet home page, titled ‘Do Not Sell My Personal Information.’” Businesses must also include a description of consumer rights as defined in Section 1798.120.

Remember, these are only summaries. If you’re interested in understanding additional details of the CCPA legislation, I suggest that you review the individual sections with your legal team and other stakeholders. 


The Case for Privacy Standards
While a thorough review of the CCPA is warranted for those businesses affected, the requirements it outlines are really just the fundamental privacy practices that any business should implement as a good steward of consumer data. And they’re not much different than the GDPR requirements, for example.

In the weeks leading up to May 25, 2018, when GDPR became enforceable, you probably noticed your inbox explode with emails from companies saying they were updating their privacy policies. This happened to me as a U.S. citizen, even though the GDPR only applies to EU citizens. Why? Because many companies saw this privacy overhaul as an opportunity to do the right thing and refine their privacy practices across the board, not just where it was required by GDPR.

While nobody likes being told what to do, privacy regulations like the CCPA, GDPR and others share a common purpose: to ensure that companies have responsible practices around privacy and aren’t abusing their customers’ data. If you step back and look at the requirements objectively, they just make good sense. Of course, your customers have the right to know if you’re collecting their data and whom you’re sharing it with. Of course, they should be able to ask you to stop sharing their data, and you should delete their data if they ask you to.

So to answer the question about privacy being just a trend, I believe it’s here to stay and for good reasons. In fact, I predict that consumers will begin to expect, even demand, transparent privacy disclosures, setting a new standard for the companies they do business with. If this is the case, those companies that fail to achieve that standard will fall out of favor with their customers, not to mention being in violation of regulations.


Implement Privacy Best Practices with Identity
Even if you’re still not psyched about all of the privacy regulations, compliance isn’t that hard.  Because the regulations all espouse similar approaches based on best practices, you can make the necessary changes once and be fairly assured of compliance should a new regulation emerge. And when you build your privacy practices on a foundation of identity, you’ll be well-positioned for whatever the regulatory bodies might bring.

Because customer data IS identity data, there are several identity-centric capabilities—usually delivered through customer identity and access management (CIAM) solutions—that will provide the solid privacy foundation you need. Here are the best practices and capabilities you’ll want to prioritize.


Enforce consent, don’t just collect it
To achieve a good privacy experience, and one that many regulations require, you must do more than just update your privacy policies to disclose how you use and share customer data. Instead, you must be able to centrally enforce consent. For example, if a customer doesn’t want you to share data with your loyalty rewards program partner, your position can’t be, “Sorry, but we told you that we’d share that data in our privacy policy, and you have to agree to it to do business with our brand.” Instead, you should provide customers transparency about who you’re sharing their data with and the ability to revoke consent for any specific use case, as spelled out in Section 1798.120 of the CCPA.

Enforcing consent in this way requires a data access governance solution. Some CIAM vendors can ensure that you’ve agreed to a privacy policy, but will do nothing to actually ensure that the privacy policy is enforced, much less allow customers to directly control their data sharing preferences. With no data access governance policies to centrally enforce compliance, you’ll have to ensure each individual app is collecting and treating data in a compliant manner. At best, this is a huge headache, at worst, it’s insurmountable.


Create a unified profile to store consent
Consent as a whole is much easier to enforce when individual consents are centralized in a single location, instead of being spread out across several user repositories. Many CIAM vendors will expect you to clean up your disparate identity silos before importing them into a “unified profile.” This is a huge undertaking that could tempt you to skip this step. But there is another option.

A CIAM that also has a directory solution with bidirectional data synchronization can help you create and migrate applications to your unified profile, plus provide capabilities like those required under GDPR, including providing a custom consent schema that allows you to store consent evidence like IP address or app source, the date consent was collected and other consent-related data.


Provide a solution for data residency
Many privacy regulations have requirements dictating where you can store customer data. When selecting a CIAM solution, you want to be sure it meets data residency requirements. For example, you may need the ability to evaluate data in someone’s profile—such as their citizenship—and then decide which data center to store that particular data in. A robust solution will ensure that you can comply with the data residency requirements of both current and future privacy regulations.


Ensure you’re protecting customer data
Many privacy regulations—and some specifically around data breaches—have requirements around the ways that customer data is secured. Some are breach notification laws that have to do with detecting and reporting breaches. While others, such as PCI DSS, mandate specific ways in which certain types of data must be secured. How a CIAM solution encrypts data, protects log files, mitigates insider attacks and enforces access to data can be critical in meeting these security-related requirements.


Allow customers to self-manage profile data
This may sound like a basic requirement, but delivering user-friendly profile management experiences to your customers will go a long way. If your identity services—login, registration, account recovery and others—are tied into a set of APIs or UIs that allow customers to manage their own data, this can be a simple, easy-to-deploy solution that can fulfill some of the basic requirements of many privacy regulations.

If you have a CIAM solution that checks all these boxes, you’re not only able to comply with regulations like GDPR and CCPA, but you can rest assured that you’ve created a solid foundation of privacy for your organization. This foundation will both ensure regulatory compliance and earn your customers’ loyalty with a clean and robust privacy experience.


Get a Jump on Compliance
Whether you’re affected by CCPA or not, I hope this article gives you a new perspective on the need for privacy best practices, regardless of regulatory requirements. If you are affected, the regulations don’t go into effect until January 1, 2020. But it’s not too early to start thinking about what you’ll need to do to ensure compliance. Architecting privacy at large enterprises can be like trying to turn the Titanic. It can take years to evaluate all the systems that require updates, plus implement changes. While you may not want to pull an emergency stop on other initiatives and divert their resources to CCPA, it’s probably worth adding privacy and CCPA as a topic in your next quarterly planning meeting or executive strategy session.

To learn more, about Ping Identity’s privacy solutions, visit our GDPR page.