This CCPA training is provided free for use. Haekka offers a fully integrated training platform in Slack, enabling customers to meet their compliance, privacy, and security training requirements using modern, relevant content delivered 100% in Slack.

Overview to CCPA

The California Consumer Privacy Act (CCPA) received a lot of attention when it was passed in 2018 and more notice when it went into effect in 2020. As the name implies, the law applies to California residents, and the California legislature passed it. The regulation took inspiration from GDPR in Europe and, as such, a lot of the data rights created by CCPA mirror the data rights created by GDPR.

The overarching motivation behind CCPA was 1) to create and grant a class of rights that consumers have over their data and their online privacy and 2) to codify responsibilities for companies when it comes to the collection and use of personal information.

“Consumers” are equivalent to users for technology companies. The CCPA created new, exercisable, and enforceable rights for your users. The flip side is that there is a whole slew of new responsibilities that fall on companies when it comes to communicating data practices, protecting data, and enabling users to exercise their data rights.

The CCPA is the strictest state general privacy law in the US. While there is still no national privacy regulation equivalent, many companies, especially technology companies that operate across state lines, have embraced CCPA as a new standard to follow across all states. There are much interest and debate around personal privacy and data at both federal and state levels; but, anything that is likely to pass will have similar consumer rights and company obligations to what is in the CCPA.

This CCPA training establishes a baseline understanding of CCPA and helps companies ensure they meet the employee training requirements of CCPA. This course will not make you an expert on CCPA, but it will help you come up to speed with the regulation and the things you and your company need to do to comply with it.

Below is an outline of the course. Remember, you have lifetime access to the content.

Course Overview

• What companies need to comply with CCPA? Knowing if you have to comply with CCPA is the first step. There are three critical factors in determining if your company needs to comply with CCPA.
• Data covered under CCPA. One of the most important things to understand about CCPA is the data to which it is concerned, and any exceptions that may exist.
• Data Subject rights under CCPA? End-user rights on their personal data, or data subject rights, are clearly defined and can be exercised by individuals.
• Your responsibilities under CCPA? As a company under CCPA, you have specific requirements to protect data, report breaches, and handle data subject requests.
• Penalties under CCPA. Your company needs to comply with CCPA. What is your financial risk?
• Recap of CCPA. CCPA and GDPR are similar regulations and often lumped together when people talk about data subject rights and privacy. Understanding the overlap and differences helps to understand both regulations.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Which Companies need to Comply with CCPA?

CCPA lays out several concrete criteria to determine if CCPA applies to your company. The criteria do not explicitly require every company in CA, or every company that collects data on CA residents, to comply with CCPA.

The first two criteria are mandatory.

1. Your company is a for-profit company. Non-profit organizations and government agencies do not need to comply with CCPA.
2. Your company must collect and store data on CA residents. CCPA defines “collect” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information”.

Assuming your company answers the top two criteria in the affirmative, your company must meet 1 of the following 3 criteria. These criteria are designed to disqualify smaller companies.

• Annual revenue is greater than $25M. The goal with this criterion was to save smaller companies from the burden of complying with CCPA. $25M in annual revenue is a bar that eliminates small businesses but automatically includes all medium to large businesses.
• Collect data on more than 50,000 CA residents, households, or devices. 50,000 records as a criterion feels arbitrary. 50,000 data records, even if just for CA residents, is not a high number for a technology company. This represents roughly 0.1% of the population of California. If a technology company sells a product directly to the end-user, this is low penetration. If a company sells to businesses, several large business customers mean the company will hit the threshold of the 50k record.
• At least 50% of revenue comes from selling data on CA residents. This is the most interesting criterion that seems to penalize smaller businesses with a large presence and focus on CA. I think this criterion should be any business that collects data on CA residents and has a business model of selling data. Other than the for-profit criteria, this is the only criterion that assesses the business model of companies in determining whether CCPA applies.

That’s it in terms of qualifiers for CCPA. Most technology companies are for-profit and have a presence in CA, meaning they have users / customers in CA, so that leaves the sizing and business model criteria as the determining factor.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Data Covered under CCPA

While CCPA is far-reaching in terms of companies that are impacted, the legislation only applies to specific types of data, namely personal data from CA residents.

The data covered under CCPA is identified as “personal information”. The CCPA definition of personal information is data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Or, simply, data that identifies an individual or household or that can be used to identify an individual or household.

Given the free flow of data and the sheer amount of data collected passively and automatically by our computers and phones, this is an incredible amount of information and it is not crystal clear what data might be capable of “reasonably” being linked to an individual.

Take exercise tracking apps. The routes themselves, without any personal information on the user, if they start and end at a residence, can reasonably infer that the residence is the address of the individual. This type of data has been shown to expose the sites of secret oversea military facilities.

Geolocation data, something that mobile apps have notoriously hoovered up from users, is a broad category of data that can easily be linked to individuals.

Or data that identifies your online activities - search history or browser fingerprinting.

It is easy to imagine almost any user-associated data being considered personal information under CCPA.

There are a few personal information exceptions that were added to CCPA so as not to overlap with other privacy regulations where the data is already being regulated. Those exceptions include healthcare data and financial data.

A list of personal information explicitly listed in CCPA is below.

1. Real name
2. Postal address
3. Email address
4. Social Security Number
5. Driver’s license number
6. Passport number
7. Signature
8. Physical characteristics or description
9. Telephone number
10. State identification card number
11. Insurance policy number
12. Education
13. Educational information (as defined by 34 C.F.R. Part 99)
14. Employment
15. Employment history
16. Bank account number
17. Credit card number
18. Characteristics of protected classification under California law
19. Characteristics of protected classification under federal law
20. Biometric information
21. Internet or other electronic network activity
22. Browsing history
23. Search history
24. Audio information
25. Electronic information
26. Visual information

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Data Subject Rights under CCPA

Data subject rights are rights granted to individuals around collecting, using, and disclosing their personal information. CCPA creates several new classes of data subject rights that CA consumers can exercise and to which business must comply. The two-pronged goals of these rights are to 1) increase transparency of data collection practices and 2) enable consumers to limit their data that is collected, used, and sold.

Below are the data subject rights created by CCPA.

Notice

Consumers have the right to know the types of personal data that a business collects and how it is used. This right to notice is required before the company collects or uses personal information. Businesses are not allowed to collect additional personal information or use it for other purposes without first notifying consumers.

Access

Consumers have the right to request and be granted access to the personal information that a business collects and retains about them. Presumably, because of the burden of these requests, businesses only need to provide personal information to individuals twice in 12 months.

Deletion

Consumers have the right to request the deletion of their personal information. Businesses are obligated to delete personal information upon request and to direct service providers to delete personal data for the requesting consumer.

There are many exceptions in which a business does not have to comply with deletion requests. Some of the more vague and interpretable exceptions include:

• To enable solely internal uses that are reasonably aligned with consumer expectations based on the consumer’s relationship with the business.
• Otherwise, use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided it.

Portability

Consumers have the right to request their personal information in a format that is readily usable. The intent is to enable the consumer to move data from one business to another.

Disclosures

Consumers have the right to request a listing of the disclosures of their personal information to 3rd parties. This information should include the data that was disclosed and the purpose to which it was disclosed.

Opt-Out

Consumers have the right to opt-out of the sale of their personal information. Businesses that sell personal information to third parties must have a link on their homepage that reads “Do Not Sell My Personal Information.”

Rights for Minors

Minors are afforded slightly different rights under CCPA. For minors under 13, parents or guardians must opt-in to personal data collection. For minutes aged 13-16, the minor has to opt-in.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Your Responsibilities under CCPA

Just as the CCPA granted consumers new rights on their personal data, CCPA places new obligations on business for handling data. Some of these obligations are to enable data subject rights while others are obligations pertain to general data protections and transference of data.

Notice to Consumers

There are several requirements that businesses need to comply with in terms of notices for consumers. Businesses need to provide notice to end-users of their data rights under CCPA. In addition, they need to provide clear means to exercise those rights. For companies that sell personal data, they need a link on their homepage that consumers can use to opt-out of selling their personal information.

Methods of Exercise Consumer Rights

CCPA requires that businesses provide consumers with two methods of submitting data access requests and data deletion requests. In the case of online-only companies, only one method is required for access requests; 2 methods are still necessary for deletion requests.

Do Not Discriminate

Businesses cannot discriminate against consumers who exercise their data rights. Businesses cannot charge different amounts or offer different services to consumers based on how they use their data rights.

Transferring Data to Third Parties

There are two categories of third parties under CCPA - service providers and non-service providers. Service providers are companies that provide services for other companies. A typical service provider for technology companies is their cloud provider.

For service providers, companies need to have agreements in place with them to ensure the protection of personal information.

For non-service providers, companies must disclose to consumers that personal data will be shared with the third party before the data is actually shared.

Training Employees

While CCPA does not mandate training of all employees, it does mandate training of all employees who may need to administer or respond to users’ inquiries about data rights and the company’s compliance with CCPA. It should be best practice to at least train employees on the basics of CCPA as there are many avenues for consumer questions and requests.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Penalties under CCPA

While privacy and the role of stewards for personal data are a value and enough of a reason to pay attention to data protection and information security, penalties and reputational damage for violating data regulations weigh heavily on the minds of most company executives. CCPA defines penalties on a per violation basis. There are two forms of penalties - those brought by the California Attorney General as civil cases and those brought by individuals.

Attorney General Penalties

Penalties brought by the Attorney General have a potential penalty of $2,500 per violation or $7,500 per intentional violation. These penalties can be levied for violating CCPA, whether there has been a breach of data or not. If there are violations that impact a large number of individuals' records, these fines can add up.

CCPA allows for a 30 day cure period. This clause requires the Attorney General to notify a company of a violation and allow the company to have 30 days to resolve it. If the violation is resolved in this timeframe, then there is no penalty for the violation.

Cases by Individuals

CCPA also allows for individuals, in particular cases, to seek damages from companies. This right is codified in CCPA as the Private Right of Action. As opposed to the above violations brought by the Attorney General, individual cases can only be brought against companies when there has been a data breach.

The penalties are capped between $100 and $750 per individual, per violation. While these violations can add up if many impacted individuals pursue action, the penalties are considered by many to be too low.

The last form of penalty is reputation damage. With the increasing awareness and value that consumers put on privacy and protecting their data, this is a powerful deterrent. While not specific to CCPA, this is something that many executives and boards think about when they prioritize data security and privacy.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

CCPA 2.0 (aka CPRA)

In May 2020, a new form of consumer protection was announced as an initiative for inclusion on the California ballot in November. The California Privacy Rights Act (CPRA) was created by the same organization that helped craft CCPA. It was submitted with over 900,000 signatures, well above the 675,000 required for inclusion on the ballot.

Despite the new name, CPRA builds on CCPA and does not replace it. There are several significant changes and clarifications that CPRA makes. Below are the more relevant changes.

New Enforcement Authority

A new agency, called the California Privacy Protection Agency, would be created to administer and enforce CCPA. The agency will be run by a board of 5 appointed individuals. This takes enforcement away from the California Attorney General.

Categories of Data

There are new categories of data, including things like the contents of an email and biometric data. The challenge with this new rule is that businesses need to provide disclosures specific to each category of data. Businesses are going to need technology to categorize and track data at a more granular level. With data retention, each category of data can only be retained for as long as it is needed for the stated business use.

Right to Correct Data

CCPA created a host of new consumer privacy rights, including the right to access data, delete data, opt-out of selling data, and know disclosures of data. CPRA expands these consumer rights to include the right to correct personal data.

Guarantees from Service Providers

CPRA requires businesses to create new contractual terms with their service providers for the protection.

Criteria for Complying with CCPA

The CPRA updates two of the criteria for determining if your company needs to comply with CCPA. The criteria for the number of records on California residents increase from 50,000 to 100,000. The criteria that more than 50% of revenue comes from the sale of personal information is changed to more than 50% of revenue comes from the sale or sharing or personal information.

When CCPA was up for a vote, at the end of 2018, much last-minute negotiating and deal-making softened the blow of CCPA for businesses. It is possible CPRA will follow a similar trajectory and end up being negotiated and settled from the current language.

Despite that possibility, what is clear is that consumer privacy rights are an active area even after initial versions of legislation are passed. Californians and businesses that serve Californians need to stay up to date as their rights and obligations evolve.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Recap of CCPA

CCPA, despite only protecting data on California residents, applies to many companies. You do not have to be based in CA to have to comply with the regulation or be subject to potential penalties for violating the rules of CCPA. Below is a summary of the lessons learned in this course.

What companies need to comply with CCPA?

Companies that need to comply with CCPA are for-profit and at least one of the following - 1) annual revenue over $25M, 2) data on more than 50,000 CA residents, or 3) earn at least 50% of revenue from selling personal data on CA residents.

Data covered under CCPA.

CCPA is concerned with personal information on CA residents. Personal information is information that can identify or reasonably identify a resident as an individual. Explosions in the type of digital data collected about people make this a moving target.

Data Subject rights under CCPA?

CCPA created a new class of personal data rights for CA residents. These rights include a right to know what data is collected on them and how it is used, a right to opt-out of the sale of their data, a right to delete their data, a right to access data in a portable format, and a right to know to whom their data has been disclosed.

Your responsibilities under CCPA?

Companies have a responsibility to consumers under CCPA. They need to provide notice about data collection and usage, methods for exercising data rights, and a need to train employees who receive customer inquiries and data requests.

Penalties under CCPA.

There are two forms of penalty defined by CCPA - 1) penalties for violations of any part of CCPA that are brought by the CA Attorney General and 2) penalty payments to individuals specifically for breaches of personal information. In the case of Attorney General cases, there is a 30 day period for companies to resolve violations and avoid penalties.

CCPA 2.0 = CPRA)

CPRA, which updates and clarifies CCPA, has a high likelihood of being on the ballot in the fall of 2020. While not passed or implemented, there are several important changes that could have a significant impact on companies - new categories of data including “sensitive” data, new rules governing the handling of categories of data, and new consumer rights to correct personal data, amongst others.

Hopefully, this training has given you a baseline understanding of CCPA. CCPA is very likely going to be the standard for more and more data protection regulations in the US. A base-level knowledge of CCPA will serve as a good foundation for future regulations.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

© 2020 DayZero Inc. All rights reserved.

Questions? Reach out to us - hello@haekka.com

‍