What Every Business Needs to Know About CCPA & CPRA

California was the first mover in the United States when it came to privacy and data breach regulations, with statutes dating back to 2002. Most recently, California introduced two of the most sweeping regulations yet: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

CCPA went into effect January 1, 2020, giving California residents the rights to opt out of having their data sold to third parties, to request information on what data has been collected about them, to request that any collected data be deleted, and to be notified what data is getting collected and what purpose it will serve.

CPRA passed into law November 3, 2020 and will take effect January 1, 2023; however it will have a lookback period to 2022, meaning any data from that time will be subject to review. This new regulation builds on CCPA to give California residents even more rights, including further limiting what businesses can do with personal information collected about consumers, restricting how long organizations can retain that data, and creating a new category for “sensitive personal information.” It also introduces a new government agency for enforcing these data privacy regulations called the California Privacy Protection Agency (CPPA).

Who is Subject to California’s Privacy Regulations?

Much like with GDPR, the California privacy regulations center around where consumers are located, not the business itself. This means organizations that might collect data on California residents in any way — whether that’s directly or through a partner — are subject to CCPA and CPRA.

The regulations also offer clear definitions about the types of businesses that qualify for enforcement. The latest definition from CPRA states that any business (which can be a website, company, or organization) that meets one of the following guidelines is subject to enforcement:

• Annual gross revenue of more than $25 million
• More than 50% of annual revenue comes from selling or sharing consumers’ personal information
• Buys, sells, or shares personal information on more than 100,000 consumers or households annually

One interesting caveat to this definition is healthcare companies that must adhere to the federal Health Insurance Portability and Accountability Act (HIPAA). In most cases, HIPAA supersedes state regulations, but there are a few gaps in areas of data that HIPAA does not cover. In these instances, organizations must still follow the California regulations. For example, this might occur in cases where non-medical information gets used for marketing or research purposes.

How Do the California Privacy Regulations Get Enforced?

CPRA established a new enforcement mechanism for California’s privacy regulations with the creation of the CPPA. This regulatory body will have the authority to investigate potential violations and issue fines accordingly.

The creation of the CPPA is noteworthy for two reasons:

1. It’s self-funded. The CPPA will start out with $10 million in funding from the state, but everything after that will come from the fines that it issues. As a result, this enforcement agency has a unique incentive to investigate violations and issue fines.
2. It’s dedicated to privacy regulations. Previously, investigations around violations of privacy regulations sat with the state Attorney General’s office (as it does in other states). These investigations were one of many responsibilities, and bandwidth constraints meant the office would typically only go after the most egregious violations. Handing over this responsibility to a dedicated body eliminates this bandwidth constraint and means that even minor violations are likely to come under investigation.

Additionally, CPRA gives consumers the right to bring a private lawsuit for data breaches in which exposed information includes a combination of email address and password or the associated security question and answer. In these cases, the regulation outlines a maximum fine of $750 per consumer, per violation and a minimum of $100 per consumer, per violation.

What Do CCPA & CPRA Outline for Incident Response?

Both CCPA and CPRA require businesses that collect personal information on consumers to implement and maintain “reasonable security procedures.” Essentially, this means organizations must not only comply with the elements of the regulation that give consumers certain rights (e.g. the right to view their data, the right to receive notice about how it will be used, etc.), but they must also protect any data they do hold from being destroyed, modified, or falling into unauthorized hands. Notably, CPRA broadens the scope of these security measures to cover all personal information, whereas CCPA had a narrower set of data to which this applied.

This responsibility raises an important point: Previously, many organizations only introduced cybersecurity defenses after a breach occurred, but CPRA makes clear that post-breach remediation actions are no longer acceptable. Additionally, the subjectiveness of “reasonable security procedures” puts the burden on organizations to prove their cybersecurity programs appropriately match their risk and resources. 

If a data breach does occur, the regulations include detailed guidelines for managing the incident response. These guidelines are as follows:

Who to Contact

Businesses must notify any California resident who was affected by any data breach. If a single event impacts more than 500 California residents, the company must also notify the state Attorney General by submitting an electronic copy of the security breach notification (note: this should exclude any personally identifiable information about the affected individuals).

When to Make Contact

Companies must make this notification “without unreasonable delay” once they discover the breach. The one exception to this rule is in cases where disclosing the information can hinder a law enforcement investigation. 

How to Make Contact

The notification must be written in plain language, be titled “Notice of Data Breach,” and include the following information:

• Name and contact information of the reporting organization
• Overview of what happened
• Details on the types of personal information included in the breach
• Timing information (date, estimated date, or a date range for when the breach occurred)
• Telephone numbers and addresses of major credit reporting agencies if the breach exposed social security numbers, driver’s license information, or California identification card numbers
  • Note: If the breach exposed social security, driver’s license, or state identification card numbers, the business that was the source of the breach must offer appropriate identity theft prevention and mitigation services at no cost for at least 12 months and provide all information necessary to take advantage of the offer.

Businesses may also choose to include the following optional information:

• What the business has done to protect individuals affected by the breach
• Advice on what affected individuals can do to protect themselves

Beyond outlining what should be included in the notification, state regulations also include formatting considerations. Specifically, it says the notification should “be designed to call attention to the nature and significance of the information it contains,” with clear and conspicuous titles and headings and text no smaller than 10-point type.

If the business can demonstrate that providing the notice would cost more than $250,000, if the number of affected individuals is more than 500,000, or if the company doesn’t have proper contact information for individuals, then the company must do all of the following:

• Email notification (if the organization has email addresses for the affected individuals)
• Conspicuous posting on the organization’s website for at least 30 days (i.e. featuring a link to the notice on the home page, made obvious with larger text or contrasting colors)
• Notification to major statewide media, plus California-based companies must also inform the California Office of Information Security

What Can Lead to Notification Under CCPA & CPRA?

A variety of events can create a data breach situation that leads to notification obligations under the California privacy regulations. Cyber attacks come to mind first, but there’s a lot more that can trigger notification and put organizations into incident response mode, such as companies improperly selling or mistakenly sharing data. The following are examples of a variety of events that can trigger an incident response under CCPA and CPRA.

1) Ransomware

A ransomware attack occurs when a malicious group installs malware on a computer that can steal information and hold it captive in exchange for money (hence the name ransomware, which combines “ransom” and “malware”). Even if your company pays the ransom and retrieves the information in a ransomware attack, the data was still exposed to an unauthorized third party and was therefore compromised under CCPA and CPRA.

2) Improperly Sold Data

If personal data your company stores on customers gets improperly sold, that also qualifies as a data breach that requires notifications. It doesn’t matter whether this sale was authorized by your company or not. Even if individual employees acted maliciously and abused their authorized access to sell data for personal profit, the company is still liable under CCPA and CPRA.

3) Mistakenly Updated or Deleted Data

If your company mistakenly overrides information, deletes data, or introduces errors into the data in any way, this also counts as a data breach that requires a notification under California law. It does not matter whether this error stemmed from an honest mistake or incompetence, the result is still inaccurate or missing data that qualifies as a breach.

How Can Organizations Prepare for CCPA & CPRA?

CCPA and CPRA are two of many data privacy regulations that require organizations to follow set guidelines for incident response. Because the California regulations place the burden of security on organizations and require a quick response when an incident does occur, all companies must be proactive. This preparation starts with: 

• Putting in place clear security protocols to protect data
• Introducing technology that provides visibility into how data gets collected and used as well as where it lives
• Assigning responsibility for security protocols and incident responses to a team or set of people within the organization

From there, organizations should prepare for three phases of incident response:

1) Readiness

Your company should be ready for a breach to occur at any time, that way you can go into response mode quickly. Not only does this help meet the requirement of issuing a response “without unreasonable delay,” but it can also reduce the costs of the breach.

Readiness should include understanding response requirements (according to the regulations as well as contracts with customers and partners), establishing incident response plans based on those requirements, and staying up to date about changes to those regulations and contracts (to ensure the plans get adjusted accordingly).

2) Response

Having a readiness plan in place allows your company to quickly and confidently go into incident response mode when a breach occurs, a critical capability to satisfying California requirements.

A proper response requires the ability to quickly and easily pinpoint issues (what happened, what data was involved, who was affected, how to recover) and to efficiently issue the complete notification in the proper format to the affected individuals and any agencies.

3) Ongoing Management

Incident response preparation is an ongoing effort, as your company must stay up to date on regulatory changes and new system capabilities to ensure you have the utmost protection and strongest readiness plans in place at any given time.

The organizations that excel in this area introduce a centralized dashboard for reporting and monitoring, as this provides a single source of truth for all of the moving pieces like incident response plans and changes to regulations and contracts.

How Do CCPA & CPRA Compare to GDPR?

The California laws and the European Union’s General Data Protection Regulation (GDPR) are among the most comprehensive regulations around data privacy today. This has led to a lot of comparisons between the two. And for any organizations that need to consider both (which is any company that might have data on California residents and EU residents), it’s important to understand where the two are similar and where they’re different. Here is a high level look at some of the biggest similarities and differences between the two regulations.

Similarities Between CCPA/CPRA and GDPR

• Clear definitions of personal data and sensitive data: Both regulations define what’s considered as personal data and have a category for sensitive data, but the types of data within those categories differ. For example, CPRA first introduced the sensitive data category in California and includes all the data types in GDPR’s special category data except for trade union membership, but also adds government issued identifiers, financial account information, consumer communications, and precise geolocation.
• Right to access data and request deletion: Both regulations give consumers the right to access their personal data by submitting a request to a business to share any data that organization has collected about them. They also allow consumers to request the organization delete that data.
• Detailed guidelines for incident response: Both regulations have detailed guidelines for incident reporting (although the notification requirements do differ) and both require companies to issue notifications quickly (but the exact timelines also differ).
• Burden of data protection: Both regulations put responsibility on organizations to protect consumers’ data. Specifically, they hold organizations accountable for having security measures in place and dictate that organizations are not exempt from this responsibility as a result of mistakes or a lack of awareness.
• Dedicated enforcement agencies: Both regulations establish a dedicated enforcement agency — CPPA in California and Data Protection Authority (DPA) in the EU. However, only the California agency is self-funded.

Differences Between CCPA/CPRA and GDPR

• Opt out vs. opt in: In California, consumers must opt out to prevent organizations from using their data in certain ways. In contrast, EU consumers must opt in to allow organizations to use their data in certain ways. This difference impacts the default stance for how organizations can collect and use data.
• Data usage: The California regulations impose restrictions on what businesses can do with data, while GDPR also looks at how organizations process that data. Notably, California is moving closer to the EU in this regard, as CPRA imposes limits on how long companies can hold onto data, including guidelines for data minimization, purpose limitation, and storage limitation.
• Organizations held liable: Under both regulations, organizations must comply based on where the people whose data they have are located, not the company itself. However, the California regulations also include requirements for what types of organizations qualify as a business and are therefore liable (these cover revenue and use of data). GDPR applies to all organizations without exception. 

The Value of Proactive, Ongoing Incident Response Efforts

California has set a precedent not just for privacy regulations in the US, but also worldwide for how it’s evolved those privacy standards regularly over time. For example, in the same year that its hallmark CCPA regulation went into effect, the state passed CPRA to expand upon what was already in place. And California’s long history of privacy regulations suggests we can expect even more changes going forward that will continue to strengthen protection and ensure laws stay up to date with the latest market trends.

As a result, when it comes to incident response for California privacy regulations, companies must be proactive and view their efforts as ongoing. This type of proactive, ongoing effort is essential to keeping policies up to date with rapidly changing regulations, which is especially important since going into incident response mode is inevitable for most organizations at some point or another.