CCPA: Keep My Data Private!

by | Oct 6, 2021 | Blog

Our identity is increasingly based on numbers and other kind of data in today’s data-driven world.

In the movie, ‘The Matrix’, Neo is often referred to as The One since his prophesied role is to end the war between machines and humans. In the case of other characters, their numerical names are derived from more practical concerns. Characters are given numbers or other kind of identities that either indicates their role or have underlining information about them in many movies and series. In many ways, this has become our reality as people around the world identify us by way of our passport numbers, social security numbers and other documents.

CRN reports that the ten largest data breaches in the first half of 2021 affected over 98.2 million individuals, with three of the ten largest attacks occurring at technology companies. Businesses need to protect information that they commonly store, such as employee records, customer details, loyalty programs, transactions, and data collections. To prevent fraud, including phishing scams and identity theft, third parties must not be able to access that data. Personally identifiable information (PII) of students, for example, may fall into the hands of criminals, putting them at risk of identity theft. An information breach can put personal health information (PHI) in the hands of those who may misuse it.

It’s good news that there is a law that protects your private information and prevents it from being misused! Consumers have more control over personal information that businesses collect about them thanks to the California Consumer Privacy Act (CCPA). CCPA, often referred to as “California’s GDPR,” has prompted companies across the US to do much more than update their privacy policies. The law took effect on January 1, 2020, but enforcement began on July 1. Californians will be able to readily request, delete, or protect their personal information (PI) collected and governed by businesses under the CCPA. It focuses on making sure organizations have a business purpose for why they need personal information. 

Which Key Provisions are Included in the CCPA?

Under the CCPA, consumers may ask businesses to disclose any of the following:

  1. The consumer’s entire collection of data
  2. Sources from which that information is collected
  3. The reason for collecting or selling that information
  4. Information shared with third parties

The business purpose in this case is:  

  1. Transaction auditing and verification
  2. Identifying security incidents, fraud, or illegal activities
  3. Identifying errors and repairing them
  4. In short-term transient uses
  5. Caring for clients or performing services on behalf of them

Does the California Consumer Privacy Act apply to me?

Companies that do business simply with California residents and who meet one of three thresholds must be compliant with CCPA.

  1. A gross revenue of more than $25 million annually
  2. Purchases, received for commercial purposes, sold or shares, alone or in combination, the personal information of 50,000 or more individuals, households, or devices
  3. Purchases, received for commercial purposes, sold or shares, alone or in combination, the personal information of 50,000 or more individuals, households, or devices

A company that meets one of these criteria will be required to inform consumers of the kind of personal information collected and for what purpose at the point of collection.

An organization can be found in noncompliance with the CCPA in a myriad of ways:

  • A failure to comply with new disclosure requirements

Companies that collect personal information must provide a disclosure outlining the consumer’s rights under the CCPA, what type of information is being collected, how it will be used, and how it has been shared with third parties in the past year.

  • Processes not in place to fulfill consumer requests

According to the CCPA, all companies must establish a process which permits consumers to view, delete, and opt-out of having their personal information sold since January 1, 2019. Additionally, the company must perform a verification process to verify the identity of the consumer making the request.

  • The company’s homepage does not provide proper opt-out methods

Links stating “Do Not Sell My Personal Information” must be prominently displayed on the company’s homepage. Using this link, consumers can actively opt-out of having their personal information sold.

  • Breach of personal information due to insufficient security measures

Although the CCPA does not specifically address data breaches, it does allow individual actions and class actions for breaches of personal information that might have been prevented with reasonable security measures. Damages may range from $750 per consumer per incident up to the actual damage caused by the breach. Companies already dealing with the aftermath of a devastating hack could face a large liability.

Penalty for non-compliance with CCPA:

Under the CCPA, organizations have 45 days to respond to verify consumer requests. Businesses that do not resolve a violation within 30 days of notification may be fined up to $7,500 by the California general attorney if they fail to rectify it within the given time. In the event of an unauthorized infiltration of data, consumers can sue for damages up to $750 per violation.

What can Data Dynamics do to mitigate the CCPA’s non-compliance risk?

The compliance risks arise from untidy data. According to CIO, 80-90% of the data we generate today is unstructured. IDC estimates that more than 90% of this unstructured data is never examined. Therefore, businesses are not maximizing this potential resource. Additionally, it means that the organization may not follow privacy laws. At Data Dynamics, our first step is to transform this unstructured data into a structured one, which provides an overview of which data needs to be migrated, which sensitive data needs securing, and which should be wiped out.

The Privacy Risk Classification functionality of Data Dynamic’s Insight AnalytiX identifies and tags unstructured data containing sensitive or private data to enable data custodians with information on how to properly manage that data while maintaining compliance and privacy standards. It accesses your unstructured data for PII, PHI, and business-sensitive data to determine exposure to risk.

A combination of pattern recognition, keyword recognition, and artificial intelligence (AI) powers the application. With the aid of various file readers, Privacy Risk Classifier reads the contents of supported file types and the metadata of unsupported file types. The data science engine also enables it to determine whether any scanned files contain PII in compliance with CCPA laws. Users can view the results in various graphical forms in the application after the analysis is complete. Data can be filtered based on the CCPA regulations, which is a built-in function that gives you instant results for your unstructured data, saving you time and effort, and giving you an overview of its content with respect to compliance laws. CCPA views, private data in a broader way than GDPR. Security is about finding and securing that data, then. With Data Dynamics, you can effortlessly put your data compliance strategy in motion. Get in touch with us now sales@datdyn.com.