The California Consumer Privacy Act (CCPA) is a California state law enacted in 2020 that protects and enforces the rights of Californians regarding the privacy of consumers’ personal information (PI).
Within the digital world, consumer data is understood to be the new gold, a substance of immense potential value to marketers. However, despite the wishes of corporate interests to mine this data, a growing movement insists that the consumers being studied by such data should have a say in how the information they’ve generated is used or not used.
In California, that movement’s aims have been transformed into law, through passage of the CCPA. It strikes a forceful blow for consumer rights and cybersecurity by giving the State of California a capable framework for enforcing data privacy laws and regulations and providing California residents with a path toward private right of action, in order to seek legal recourse from data breaches.
Subscribe to the IBM Newsletter
CCPA guidelines were designed to give California consumers a set of rights that deals expressly with personal data privacy and affords them reasonable security safeguards. These rights include Californians’ ability to make consumer requests about their customer data. These requests can include how to:
Prevent sale of their personal information to third-party companies (i.e., The Right to Prevent Resale) by issuing the so-called “Do not sell my personal information” directive
Ask for data about any personal information that’s been collected (The Right to Access)
Request that all collected data about that consumer be deleted (The Right to Be Forgotten)
Thanks to the California Privacy Protection Agency, California residents also have protections aimed to ensure that residents are suitably notified about data changes affecting them, as well as anti-discriminatory rules that mandate persons cannot be subjugated or otherwise penalized because they choose to exercise these rights.
Although most consumers possess a general idea of what is meant by “personal data,” the phrase can mean different things to different people, and considerably more things than first imagined.
Within the context of the CCPA, personal data is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1
CCPA guidelines cover the following specific examples of personal data:
Social Security number
Driver’s license number
Banking account information
Credit card/debit card numbers
Education data and credentials
Personal data becomes even more valuable to marketers when each type of information can be combined through data analytics and used for creating composite views of particular consumers or groups of consumers and making broader inferences about consumer marketing trends, for example. Some of the other forms of PI routinely collected can be equally revealing, including:
Consumer shopping preferences
Personal browsing histories
Articulated personal attitudes
Specified personal behaviors
Another area of concern involves cookies and how they’re used as unique identifiers by websites. This includes first-party cookies (which are designed to delete themselves once their business purpose has been concluded) as well as third-party cookies (which don’t automatically self-delete and have the functionality to collect various types of personal data, including sensitive personal information).
Most affected organizations approach CCPA compliance not as a single step but as a process. The first part of that process often involves a shift in mindset toward the consumer, and realizing that their privacy needs matter and do carry enforceable rights.
Maintaining CCPA compliance involves upholding the various California consumers by providing them with options for how their personal data inventory is administered (including opt-in choices). It also means keeping up with any evolutionary changes in the CCPA in order to keep pace with new technology (such as biometrics) and CCPA policy revisions.
Becoming CCPA-compliant involves a set of steps that may require six months or even a year to achieve in full. Nonetheless, each plays a vital role in establishing CCPA compliance. (Since certain compliance requirements might be undertaken concurrently, steps are denoted with bullet points and not numbers.)
The first step is getting an accurate idea of what consumer data has been gathered, as well as cataloging its various locations. This would pertain to both the “exterior” consumer data collected from consumers outside the company and consumer data gathered “internally” from company employees and job applicants.
It’s essential to maintain secure housing for all gathered personal data, whether it comes from consumers or job applicants. There are also additional provisions related to the protection of information gathered from minors.
A “notice at collection” statement should be issued to all consumers (or even company workers and job seekers). Importantly, this privacy notice should be communicated before or at the time the data-collection activities begin—and not after they’ve already started.
It’s also important to configure an effective and timely means for handling any requests related to consumer information.
Data minimization rules should be developed and implemented to ensure that the organization collects only the minimum amount of PI necessary to achieve a given purpose. Organizations should also consider possible dangers to consumers if the collected data is breached and implement appropriate preventative measures (e.g., automatic deletion of collected data after its use).
One key aspect of achieving compliance is making sure company managers and all employees are aware of CCPA requirements, especially requirements directly impacting their scope of work. Updates can be achieved through training sessions and webinars.
Laws and regulations are often subject to change and amendments. (The CCPA itself underwent such revisions before its 2023 re-launch.) Therefore, it’s a good idea to remain current on CCPA developments.
Data brokerage—the buying and selling of PI—is a booming business, which experts valued at USD 240 billion globally in 2021. That amount is expected to nearly double and balloon to more than USD 450 billion annually by decade’s end.2
Anything as valuable as data must be protected vigorously. Accordingly, the California Privacy Protection Agency (CPPA) is empowered to strike at the bottom line of companies that violate CCPA tenants. And while CCPA penalties are capped at a relatively low rate (either USD 2,500 for an offending contact that was shown to have been unintentional or USD 7,500 for an intentional violation), it’s worth noting that those CCPA penalties apply to just a single offense, such as a data breach involving one person.
But the reality is that data breaches rarely involve a single impacted party. Instead, they are more typically mass events involving thousands or even hundreds of thousands of consumers. So if you multiply possible CCPA fines by a large number of California residents, you could soon be calculating gigantic penalties.
The CCPA does offer offending companies a way out of paying these hefty fines, by giving offenders a 30-day grace period to remediate the error they’ve committed. If an offender can enhance their security measures and “fix” the problem within a month, then the penalty fee can be waived. Obviously, companies are financially obliged to remedy such offenses, but that can prove difficult or even impossible in some situations, considering that offenses such as data breaches often involve data disclosures that can’t be reversed.
The scope of the CCPA continues to expand and evolve in order to keep pace with technology’s explosive growth, such as the Internet of Things (IoT).
For example, the CPPA has recently announced a new focus of attention—“connected” vehicles (CVs) that are equipped with data-collection mechanisms. Modern vehicles have the means to collect a comprehensive amount of information about drivers as well as geolocation data, and transmit that data. Considering there are more than 35 million registered vehicles in California, this represents a huge undertaking. But according to the CPPA’s Executive Director, it’s a need that requires attention.
“Modern vehicles are effectively connected computers on wheels,” Ashkan Soltani stated in July 2023. “They’re able to collect a wealth of information via built-in apps, sensors and cameras, which can monitor people both inside and near the vehicle.”3
The phrase “near the vehicle” is noteworthy because it implies that not only drivers’ data is protected, but also anyone who may be riding in that car and even individuals who may just be walking near the vehicle and whose momentary images are captured by on-board cameras.
This announcement also seems significant because, in it, the CCPA’s authority is being used to protect personal data generated via IoT, in this case, from connected vehicles. The announcement may prove even more significant if it signals an agency's intention to rule on an increasing number of cases involving IoT-related matters in coming years.
In most ways, the two standards are cut from the same cloth. Both the GDPR and the CCPA:
Are guided by an instinct to protect and empower the individual citizen
Give the consumer the right to object to collected data and have it corrected, if the collected data is in error
Give the consumer the right to access their personal information, relocate it or (should they choose to do so) erase it permanently
Demand that consumers be personally notified if the security of their collected data is breached
There are also differences. The GDPR has cross-border transfer requirements that aren’t needed in single-state California. Likewise, the CCPA applies restrictions on the sale of PI, which the GDPR does not.
Still, there are more similarities than differences between the GDPR and the CCPA. Both standards have to grapple with the thorny issue of third-party risks, wherein one company essentially outsources its management of personal data to an outside firm. When this occurs, that third-party firm must be ready and legally able to assume the same CCPA-based responsibilities for PI that the original company incurred after originally collecting or purchasing the data in question. Both the CCPA and GDPR require companies to share the categories of third parties with which they share information, what information they share with each, and why.
The GDPR and the CCPA also share another major trait—the ability to financially penalize service providers and other companies that commit non-compliance infractions. This was shown recently in dramatic manner with the largest data-privacy penalty fine yet recorded.
In May 2023, the Irish Data Protection Commission (DPC) levied a record-setting fine of EURO 1.2 billion (approximately USD 1.3 billion) against Meta (the company formerly known as Facebook) for unlawfully using European data within its American businesses, which include Instagram.
Automate compliance auditing and reporting, discover and classify data and data sources, monitor user activity and respond to threats in near real time. Guardium® Insights supports a modern, zero-trust approach to data security, by helping to uncover unusual activity around sensitive data and reducing risk of exporsure.
Gain sharper visibility and keen insights to assist you in investigating and remediating cyberthreats. Enforce security policies and access controls in near-real time to quickly address regulatory compliance needs.
Deliver trusted customer experiences and grow your business with a holistic, adaptive approach to data privacy based on zero trust principles and proven data privacy protection. With IBM data privacy solutions, you can strengthen data privacy protection, build customer trust and also grow your business.
IBM Security® Guardium® Insights provides comprehensive data protection for on-premises and cloud data stores, and simplifies compliance with automated auditing and reporting. Read more about Guardium Insights features or get started with a self-paced click-through demo.
1 “4 Types of Personal Data Under the California Consumer Privacy Act (CCPA),” Eric Andrews, securiti website (link resides outside ibm.com)
2 “Data Brokers Market Outlook 2031,” Data Brokers Market, Transparency Market Research website (link resides outside ibm.com)
3 “CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies,” reported 23 July 2023 on California Privacy Protection Agency website (link resides outside ibm.com)