What You Need to Know About: The California Consumer Privacy Act (And Others Like It)

Criminal Hackers Want Consumer Information

Personally Identifiable Information (PII) and Personal Health Information (PHI) are highly valued by criminals. This kind of information can be used to access sensitive accounts, for identity theft and healthcare fraud, or as part of a social engineering attack. PII and PHI are easily monetized on the dark web; a single individual’s full medical records can be worth $1,000 on the dark web.

After years of invasive data collection policies by governments and private corporations, privacy is an increasingly important topic to consumers. Consequently, consumer privacy is increasingly important to legislators around the world. The General Data Protection Regulation (GDPR) in Europe was  adopted by the EU in 2016. In 2018, California passed the California Consumer Privacy Act.

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) regulates businesses’ collection and sale of consumer data. It was designed to protect “sensitive personal information” of California residents’ and provide consumers with control over how that information is used. “Sensitive personal information” is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA mandates that companies disclose to California residents the data collection process before gathering any information. It allows consumers to access all personal data stored by a company and obtain details about the individuals or entities with whom this data has been shared. Additionally, it provides consumers the option to opt out, thereby preventing the sale or sharing of their personal data with third parties.

In 2023, the California Privacy Rights Act (CPRA) amended the CCPA. The CPRA introduces additional provisions to align more closely with the EU’s General Data Protection Regulation (GDPR). Notably, it raises penalties for non-compliance and establishes the California Privacy Protection Agency to bolster enforcement efforts.

Which Organizations Must Comply with the CCPA?

Regardless of the organization’s physical location, the CCPA applies to all for-profit businesses that collect and control personal information on California residents and meets one or more of the following criteria:

• Annual gross revenue of over $25 million.
• Alone or in combination, buys, receives, sells, or shares personal information of 50,000 or more California residents, households, or devices each year.
• Derives 50 percent or more of its annual revenue from selling personal information.

Processing data for a partner may also require an organization to comply with the CCPA. For example, a business that collects personal information from a California consumer and subsequently sells or shares it with a third party must enter into an agreement with that third party that “Obligates the third party, service provider, or contractor to comply” with the CCPA’s privacy regulations and “implement and maintain reasonable security procedures and practices.”

It is Not Just California

According to the United Nations Conference on Trade and Development, more than 135 out of 194 countries have data and privacy legislation that regulates the use and storage of data within their jurisdictions, including Quebec Bill 64 that builds on Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). In the US, other states are following California’s lead. Legislation similar to the CCPA include:

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

Enacted in 2019, the SHIELD Act requires organizations holding private information on New York residents’ to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” This includes requirements to identify “reasonably foreseeable internal and external risks, assess the effectiveness of security controls to address those risks, and to train employees on “security program practices and procedures.”

The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA was passed in 2021 and draws heavily on the CCPA. It covers organizations holding personal data on more than 100,000 Virginia residents (or 25,000 is the organization derives at least 50 percent of its revenue from selling personal data. The VCDOA excludes from its definition of personal data “de-identified data or publicly available information.” The Act requires organizations to conduct and document “data protection assessments” for “processing activities involving personal data.”

The Colorado Privacy Act (CPA)

The Colorado Privacy Act took effect in July 2023. It requires organizations to protect the personal data of Colorado residents when those residents act in an “individual or household context,” for example when visiting a website. The CPA also requires data protection assessments and defines these as “a genuine, thoughtful analysis of each Personal Data Processing activity that presents a heightened risk of harm to a Consumer.” The assessments must identify the risks from each processing activity, document the measures taken to mitigate those risks, contemplate the benefits of the processing activity, and demonstrate that those benefits “outweigh the risks offset by safeguards in place.”

Connecticut SB6

Connecticut passed Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring in 2022. It exempts information already covered by other statutes, including personal health information covered by HIPAA. SB6 also requires organizations to conduct “data protection assessments” and empowers the Attorney General to require the organization to “disclose any data protection assessment that is relevant to an investigation. The Attorney General may also evaluate the assessment for compliance with the responsibilities set forth in the Act.

The Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA), signed in 2022, draws heavily from the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  It exempts higher education institutions, nonprofits, entities covered by HIPAA, and financial institutions governed by the Gramm-Leach-Bliley Act. The UCPA requires organizations to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to: (i) protect the confidentiality and integrity of personal data; and (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.”

How Defendify Can Help Comply with Privacy Regulations

Section 1798.185 of the CCPA provides guidance to organizations regarding “reasonable security requirements. These include:

• “Perform a cybersecurity audit on an annual basis…”
• “Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information…”

Defendify’s All-in-One Cybersecurity® platform includes several solutions for assessing risk:

• Our Cybersecurity Risk Assessment Tool allows organizations to self-assess their posture and security controls against industry standards like Center for Internet Security (CIS) Critical Security Controls and the NIST Cybersecurity Framework.
• Penetration testing by our team of ethical hackers provides an “outside in” view of your defenses. We approach your systems and applications as a malicious attacker would to identify weaknesses then provide remediation guidance.
• Vulnerability Scanning provides our customers with ongoing visibility to threats resulting from newly disclosed vulnerabilities in applications and components.

The Defendify platform is a multi-layered cybersecurity solution, enabling organizations with small IT teams to assess their current strengths and weaknesses. It helps them discern the necessary steps to fulfill regulatory requirements and to consistently improve their overall security stance.

Ready to see Defendify in action? Schedule time to connect with a Defendify Cybersecurity Advisor.