CALIFORNIA CONSUMER PROTECTION ACT 2020

CCPA stands for California Consumers Protection Act 2018. It is the most recent personal data protection law passed by the State of California, aimed to protect the right to privacy of its residents and as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

Virtual Cybersecurity Team (VCT)

Download Center

CCybersecurity starts from proper awareness. Briskinfosec BINT LAB cybersecurity researchers continuously put extraordinary effort to help you to realise cybersecurity better and faster. Just download the ThreatSploit Adversary report.

Threatsploit report

Your window into the evolving threat landscape, offering insights and intelligence to protect against emerging cyber dangers.

Who should do CCPA Compliance?

The CCPA will apply to for-profit businesses that collect and control California residents' personal information, do business in the state of California, and meet at least one of the following thresholds:

Annual gross revenues larger than $25 million.

Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year.

Make 50 percent or greater annual revenue from selling California resident information.

Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.

What are CCPA Requirements?

01

For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:

Data inventory and mapping of in-scope personal data and instances of “selling” data

New individual rights to data access and erasure

New individual right to opt-out of data selling

Updating service-level agreements with third-party data processors

Remediation of information security gaps and system vulnerabilities

CCPA Penalties and how to avoid them

02

As with any compliance enforcement, violating the CCPA comes with a price tag. Under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations. The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.

img

How CCPA Works?

03

Does Your Business Have to Comply with CCPA?

Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:

Has annual gross revenues in excess of $25 million

Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices

Derives 50% or more of its annual revenues from selling consumers’ personal information

04

While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.

Approach

CCPA

How do we differ?

01How Briskinfosec can support and help you to comply with CCPA 2020?

Briskinfosec is a Global Information \ Cyber Security and a CERT-IN Empanelled Organization, will help you to assist in CCPA Compliance requirements protect personal data as well as honor consumers’ rights as per California privacy law.

Briskinfosec Team will identify any potential gaps between the practices and CCPA requirements, and advise corrective actions to be taken in order to be prepared for a CCPA audit and support in future

img

02Why to be partnered with Briskinfosec for CCPA Compliance?

Briskinfosec Team are knowledgeable and experienced in providing compliance audit, assessment and implementation services to organizations in meeting their regulatory compliance requirements, such as PCI DSS, HIPAA, EI3PA, NERC-CIP, NFA, FINRA and GDPR.

CCPA

Our CCPA Services are

CCPA audit and assessment

Personal Data Mapping

Privacy by Design Program

Privacy Impact Assessment

Incident and Data Breach response planning

Network Penetration Testing

Vulnerability Scanning

Enterprise Privacy Risk Assessment

Personal Data Security Awareness and Training

Recognitions and Partnerships

Celebrating our achievements and collaborations, shaping a future of excellence.

Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images

Additional details

Get more answers to your questions in our Learning Services FAQ

  • Potentially — the CCPA (California Consumer Privacy Act) has already been amended since it was passed, and the Office of the California Attorney General is expected to issue implementing regulations this fall. Additionally, a dozen bills that would amend the CCPA recently passed through the California State Assembly. Next, these bills will be reviewed by the California State Senate. So, odds are good that more changes are to come. Any amendments the Senate reviews and passes will go to the California Governor’s office where they’ll either be signed into law or vetoed.

  • The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
  • Annual gross revenues over $25 million.
  • Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
  • Derives at least 50% of annual revenue from selling California consumers’ personal information.

  • The CCPA provides the following rights to consumers:
  • The right to know what personal information has been collected.
  • The right to know whether that information has been disclosed or sold.
  • The right to know whether that information has been disclosed or sold. The right to say “no” to the sale of their information (also called “opt out”).
  • The right to request deletion of their personal information.
  • The right to access their personal information.
  • The right to equal service/price when people exercise their privacy rights.

  • The CCPA could be preempted by a federal law. It does not apply to the following information:
  • Protected or health-related information collected by a covered entity governed by California’s Confidentiality of Medical Information Act, as well as information governed by HIPAA. (Although this exemption is not as broad as it seems, since any “personal information” that isn’t PHI is still subject to CCPA).
  • Sale of personal information from consumer reporting agencies used to generate consumer reports if the use of that information is limited by the federal Fair Credit Reporting Act (FCRA).
  • Information that is collected, processed, sold, or disclosed that is pursuant to the federal Gramm-Leach-Bliley Act (GLBA), if it is in conflict with that act.
  • Information that is collected, processed, sold, or disclosed that is pursuant to the federal Driver’s Privacy Protection Act (DPPA), if it is in conflict with that act.
  • Some of the proposed amendments, if passed, would also create additional exceptions and exemptions for businesses. Some of these include:
  • Exempting employees from the definition of a “consumer”
  • Providing personal information to a government agency solely for the purposes of carrying out a government program
  • Selling personal information of consumers who have opted out of sale to prevent fraudulent or illegal activity
  • Excluding “publicly available information” from the definition of personal information
  • Removing de-identified or aggregated data from the definition of personal information

  • No. While efforts made to comply with the GDPR may also be leveraged for compliance with the CCPA, the CCPA is not interchangeable with the EU’s data protection regulation. There are differences between the two pieces of legislation and compliance with one does not equate compliance with the other.

  • While we await additional clarification from the Office of the California Attorney General, we recommend focusing efforts around the following proactive measures:
  • Audit, analysis, and assessment – map existing processes and data against CCPA requirements to scope the impact of changes and identify
  • Awareness – drive alignment around the resources and technology, such as a consent management platform, needed to address required changes.
  • Designed future state – create a detailed blueprint for compliance.
  • Operationalization model – transform the blueprint into actionable work streams, to remediate gaps and implement new processes, policies, and tools.
  • Ongoing governance – ensure compliance is monitored and enforced by reviewing all data sources and performing privacy impact assessments, as well as amending contracts as needed.

  • If a company intentionally violates the CCPA, they will be subject to the maximum civil penalty: $7,500 per violation, per individual. Otherwise, the max penalty is $2,500 per violation, per individual. Additionally, the CCPA entitles consumers to $100-$750 compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach.

  • You will need to review your service agreements with data providers and ensure that they are CCPA compliant. You should ask for evidence (such as screenshots and URLs) from your source providers during the privacy review process to ensure that they collect, process, and share personal data in a compliant manner.

  • While the CCPA will be one of the most comprehensive state privacy laws, approximately ten other states, including Hawaii, Maryland, New York, and Washington, among others, are currently proposing laws similar to the CCPA with one recently passing in Maine. Even so, many are similar to the CCPA, and brands and publishers should consider prioritizing compliance with the original due to its outsize footprint with regard to population size. If each state law passes, marketers will need to maintain compliance in every jurisdiction in which they operate. The fact remains that as additional states create their own privacy laws, compliance becomes increasingly difficult, reiterating the need for federally pre-emptive legislation.

Speak to an Expert

Expert guidance, tailored solutions- your direct path to insightful, precise answers.

Book an Appointment