close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Expected Areas of Enforcement

The CCPA’s details are complex and can be very confusing. However, there are core components of the approved regulation we expect the Agency to enforce:

  1. Privacy Rights: Consumers and employees have the right to access, delete, and rectify their data. Businesses must honor these rights.
  2. Clear Disclosure Practices: Businesses must provide consumers with clear and understandable information about organizational privacy practices.
  3. Vendor Management: Businesses must have strong vendor management practices. They should clearly outline the types of vendors they work with and how those vendors use personal data.
  4. Consent & Opt-outs: Consumers have the right to opt out of the selling or sharing of their data. Businesses must make this process easy and understandable via their website or apps.
  5. Data Security & Minimization: Businesses need data minimization strategies and good data security practices to mitigate the risk of data breaches.

Who the CCPA Applies To

The CCPA applies to for-profit businesses that conduct business in California or with California residents and meet the following criteria:

  • Has a gross annual revenue of more than $25 million (generated anywhere)
  • Buys, stores, collects, sells, or otherwise handles the personal information of 100,000 or more California residents, as well as their households or devices
  • More than half of the business’s annual earnings come from selling Californians’ personal information

Unsure if the CCPA applies to your business? Read this article.

Rights Protected by the CCPA

The CCPA gives consumers and employees privacy rights and requires companies to honor these rights in a timely manner.

Because of this, you need to know every system containing employee or consumer data and be able to access, delete, and modify that data. Marketing, product, engineering, HR, privacy, security, and legal teams must collaborate cross-functionally to orchestrate these processes.

Under the CCPA, Californians have the rights to:

  • Be informed
  • Access, delete, or correct their data
  • Opt out of the sale or sharing of their personal data
  • Limit the use or disclosure of sensitive personal information
  • Limit profiling and automated decision-making

Businesses must provide people with two designated methods or channels to submit privacy requests.

You have ten business days to confirm receipt of a privacy request and 45 days to respond. If necessary, businesses may take up to an additional 45 calendar days to respond to a consumer request, for a maximum total of 90 calendar days from the date of request reception. You must notify the requester and explain why it will take more than 45 days to respond.

Clear Disclosure Obligations

A straightforward and understandable privacy policy is more important than ever for businesses to ensure transparency. The Agency wants to empower consumers with information about how organizations handle their personal data.

When collecting personal data, you need to inform data subjects about the categories of information you’re collecting and how you’ll use it. Consumers should receive information about the value of their data and how they can opt in or out of data collection.

Note: If a business offers financial incentives or discounts in exchange for consumers’ personal information, it must disclose the terms and details of the incentives.

Agency Clarification on Dark Patterns

The Agency made substantial updates to ensure privacy notices are easy to read and accessible. The Agency is paying special attention to dark patterns, and any perceived manipulation that may invalidate consent. Your website should not be designed to prevent, hide, or manipulate a customer into providing data used for another purpose.

ACTION ITEM → Review your consent mechanisms, privacy notice, and website.

Strong Third-Party Vendor Management

Under the CCPA, you must have a solid understanding of your transactions and relationships with vendors, service providers, and other third parties. Pay extra attention to those handling consumer and employee personal information. Businesses should have written agreements with service providers to ensure personal information is used as instructed and isn’t shared or sold without permission. Service providers hiring other companies to handle personal information must ensure those companies also comply with the CCPA. The Agency provides detailed guidance on the definitions of service providers, contractors, and third parties. These definitions are specific, and the differences between them are important to note. Data is sold to third parties, but not to qualifying “service providers” or “contractors.”

What’s a Third Party?

For companies building behavioral advertising campaigns, it’s important to understand how a third party differs from a service provider or contractor. A third party is any entity a consumer doesn’t intentionally or knowingly interact with.

With behavioral advertising, the third party likely has a commercial interest in a consumer’s data beyond just providing a service. For example, an adtech provider may be interested in using received data to enhance ad targeting models for their clients. Doing this provides added value to the adtech company and its clients.

ACTION ITEM → Review your contracts and data processing agreements to verify they meet requirements.

Privacy Impact Assessments with DataGrail’s Risk Monitor product can help you manage vendors and hold them accountable.

Data Security and Minimization

As your business grows, you’ll collect more data — it’s just the way business works. However, the more data you collect, the more risk you incur. The CCPA requires businesses to use reasonable measures to keep personal information safe from unauthorized access, breaches, and theft. This means implementing safeguards like secure storage, encryption, and access controls. You shouldn’t collect more information than needed or use it for purposes not disclosed to consumers.

Data Handling & Minimization

Practicing data minimization means collecting only the data necessary to complete business tasks. Data minimization decreases data risk, streamlines operations, creates efficiencies, and reduces operational costs. It helps to know your data and where it lives across your organization when implementing data minimization and retention strategies.

Discover All the Data

Businesses are now required to find, discover, and map all internal systems and third-party SaaS solutions containing employee, consumer, and other third-party data. Manual mapping efforts will require cross-functional collaboration. For example, given that HR data — anything from payroll information to 401(k) participation and recruiting — generally resides in various platforms, privacy managers need to have conversations with their cross-departmental peers soon.

DataGrail data shows that companies struggle to identify all systems containing personal data. According to Okta’s “Businesses at Work 2024” report, large companies (2,000 or more employees) use an average of 211 different software applications across operations, many of which involve personal data. This opens companies up to an incomplete picture of their risk profile, which could lead to legal issues and fines.

Key Takeaways & Action Items

The finalized regulations released by the Agency in March 2023 emphasize clear, honest, and understandable consumer communications. The goal for any CISO, privacy leader, or general counsel should be to fully understand how your company uses data and where it comes from. You must also clearly communicate with your customers and employees.

Actions to consider:

→ Ensure you have an accurate and efficient privacy request fulfillment process.

→ Re-read your privacy policy to make sure it’s clear and understandable. Confirm manipulative techniques aren’t used to trick consumers into consenting.

→ Review your vendor contracts. Clarify your company’s various service providers, contractors, and third parties. Know what data they access, and understand how they use, store, and secure it.

→ Ensure you can fully honor GPC.

→ Conduct a data mapping exercise to help inform your data minimization strategy and ensure you can comprehensively complete privacy requests.