What Is The California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 (CCPA) 1 provides California consumers specific privacy rights that businesses and data brokers are required to adhere to. These privacy rights include:
- The right to know about the personal information a business collects about them and how it is used and shared
- The right to delete personal information collected from them (with some exceptions)
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
CCPA privacy rights
These rights are specific to California residents and apply to a natural person (not a corporation or business entity). The essential protections the CCPA provides are to safeguard personal information. This information includes most personally identifiable information (PII), like name, Social Security number, email addresses, purchase history, browser history, geolocation data, images, and biometric data (like fingerprints) that could have been used or captured in the course of a consumer’s interaction with a business entity, whether known or unknown. Per California law, one “violation” occurs per consumer, so multiple instances of the same violation against a single consumer count as one violation.
The CCPA does not apply to nonprofit organizations or government agencies. It also does not apply to publicly available information that is from federal, state, or local records, and information that could be gathered from public real estate/property records or professional licenses.
If your company is for-profit, you must comply with CCPA if your business:
- Receives, processes, or transfers data from over 50,000 Californians per year
- Your gross yearly earnings exceed $25 million, or
- At least 50% of your annual revenue comes from selling data belonging to Californians.
Penalties For Violation Of CCPA
A consumer can only sue a business under the CCPA if there is a data breach, which is where cybersecurity, specifically a business’s failure to prevent a breach comes into play. There are additional circumstances that limit the exposure for a business as well.
- A consumer can only sue for a breach that is a result of a “failure to maintain reasonable security procedures and practices”
- The breach must have resulted in the theft or exposure of non-encrypted and non-redacted personal information
- There is a limit of up to $750 per incident for statutory damages and requires written notice to the business about which CCPA sections it violated and give it 30 days to respond that they have cured the violations and that no further violations will occur
The California Attorney General can also file an action against businesses when they are either alerted to violations by consumers or otherwise identify patterns of misconduct.
- When a business is found to be in violation of CCPA by the Attorney General’s office, the business, service provider, or person shall be subject to a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional violation
While a consumer’s right to action is only triggered by a data breach, the Attorney General can pursue penalties that violate any part of the CCPA. 2
- Failing to respond to consumers' requests under the CCPA rights
- Failing to provide adequate notice when collecting personal information
- Selling consumers' personal information without providing an opt-out
- Discriminating against consumers who exercise their CCPA rights
Why It Is Important
What is clear from the CCPA penalties is that non-compliance can be very costly to a business, and even non-compliance with the preventative safeguards, as opposed to violation of consumer privacy rights, can significantly impact a business. In many ways inspired by GDPR, CCPA seeks to make companies responsible for staying ahead of threats, which is why the penalties are not just for breaches, but for failure to enable proper preventative measures.
The challenge many businesses face is a lack of familiarity with the provisions and requirements of CCPA, as well as what actions, procedures, and policies they are responsible for.
Common Challenges With CCPA Compliance Training
When the aim is to complete training to satisfy compliance requirements, security awareness training becomes the goal - when in reality, better user recognition and user response to threats is what is needed.
CCPA requirements state that all individuals responsible for handling consumer inquiries about the company’s privacy practices and all individuals responsible for the CCPA compliance of the business must be trained.
The CCPA does not clearly define several aspects of what exactly this means, so we answer some of the some vagaries here:
- What does “handling consumer inquiries” mean for all of my employees? - your organization is not required to train every employee to handle consumer inquiries about CCPA and your company’s privacy practices, but you should ensure that individuals who could initially receive such questions are trained not to answer the questions and direct them to the appropriate contact or resource (like customer service representatives).
- What does “responsible” mean? - since the CCPA does not explicitly state, it is best to treat all individuals that collect, store, transmit, or have access to consumer information should be trained on how to adhere to CCPA regulations.
- What specific training is required? - since the CCPA does not indicate what type or frequency of training is required, a company can choose the training materials and method they prefer and it is strongly recommended to provide at least annual training with quarterly reviews of the CCPA requirements.
Preventing breaches that expose consumer data is however a requirement that all employees must be a part of. Therein lies the largest cybersecurity challenge that many organizations struggle to solve for - that human error still accounts for 90% of breaches, even though we throw the best technology at the problem (the average enterprise has 75 different security products). This is due to the fact that most cybersecurity training is boring, where the goal is to check-the-box that training has taken place, but does little to measure whether it actually made a difference in employee behavior.
What Does Good Look Like
Living Security is built on an entirely different premise - that people are your greatest asset. Our solution measures strengths and weaknesses for employees, identifies potential gaps, then delivers timely, engaging individual and team-based training that creates proven, lasting change. If your organization has ever struggled with challenges like: everyone has completed phishing training, but hundreds of employees still click on our phishing simulations over and over, you need a better solution.
A top five global telecommunications company ran an internal test and found that “end users who went through the LS Escape Rooms were 45% less likely to click on a phishing simulation vs. all others”.
The Escape Room is one example of a team training that explores phishing, personally identifiable information, and other security concepts through team puzzle solving. Paired with an engaging storyline based on real life scenarios, the experience delivers a more impactful learning experience.
The goal of security awareness compliance shouldn’t just be to check the box that employees have completed training, it should be to prevent breaches and minimize risk and exposure due to human error.
What Makes Living Security Better
CCPA is a rather unique compliance regulation, where there are potentially significant penalties for exposing consumer data and separate, significant penalties for non-compliance with the consumer privacy rights portion.
One critical aspect of the CCPA is to safeguard consumer’s personally identifiable information. The most critical aspect of PII is the restriction of its collection and sharing. In order to protect your clients’ PII, you need to train your employees.
Living Security’s training is engaging, impactful, and delivers a 16x increase in retention that helps you create proven, lasting change - and turns employees into your strongest cybersecurity asset.
Living Security makes it easy to meet CCPA compliance and protect your consumer’s PII with training modules, that include, but are not limited to:
- CCPA-specific content
- PII-specific content
- Passwords (maintaining strong passwords, use of a password manager)
- Phishing (and other forms, vishing, smishing)
- Physical security (device security, document access and disposal)
- How to report an incident
- Removable devices/USBs
- Mobile devices
- Social media usage and risks of oversharing
- …many, many more
Our modules range from quick-hit 1-3 minute training per topic to full CyberEscape room series that cover multiple topics all-in-one. Your compliance checklist can easily support several complex topics in under 15 minutes.
Meet Your Compliance Requirements
Learn more about how Living Security can help you meet your compliance requirements, and actually help your employees make better cybersecurity decisions.