What is CCPA?
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state statute signed into law in 2018 with the intent of enhancing privacy rights and consumer protection for residents of the state. The law, which went into effect in January 2020, gives consumers more control over the personal information that businesses collect about them and establishes new consumer privacy rights, including:
- The right to know what personal information a business collects about them and how it is used and shared
- The right to have their personal information deleted
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
Who does CCPA apply to?
The CCPA applies to any for-profit business that conducts business in California and meets any of the following criteria:
- Has gross annual revenues above $25 million
- Buys or sells the personal information of 50,000 or more California residents, households or devices
- Generates 50% or more of its annual revenue from selling the personal information of California residents
Is data encryption required for CCPA compliance?
Compliance with CCPA requires consumer personal information to be encrypted, as noted in Section 1798.150 of the Act: “Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- Injunctive or declaratory relief.
- Any other relief the court deems proper."
How are data breaches handled under the CCPA?
Consumers can sue a business under the CCPA only if certain conditions are met. The stolen personal information must include the consumer’s first name (or first initial) and last name in combination with the consumer’s:
- Social security number
- Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
- Financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to the consumer’s account
- Medical or health insurance information
- Fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)
Notably, this information must have been stolen in nonencrypted and nonredacted form.
Related legislation goes further to address the consequences businesses face as a result of a breach of consumer information where records were not encrypted or where both encrypted data and encryption keys were stolen. Specifically, as part of an amendment to Assembly Bill 1130, section 1798.82 of the California Civil Code reads, in part:
“A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”