Drive CCPA and CPRA sensitive data compliance

CCPA and CPRA Overview

The California Consumer Protection Act

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states. 

CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information. 

CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.

Businesses impacted

CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:

1. Had gross annual revenue of $25M as of January 1, 2022 or the preceding calendar year
2. Buys, receives or sells personal info of 50,000 or more CA residents, households or devices
3. Derives 50% or more of income selling CA residents’ personal info

Note: Businesses need not have operations or employees in CA in order to be subject to CPRA. 

CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:

• Consumer reporting agencies that are covered by the Fair Credit Reporting Act
• Financial Institutions covered by the Gramm-Leach-Bliley Act
• Entities covered by the Insurance Information and Privacy Protection Act

For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California. 

Data types covered

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual. 

Sensitive Personal Information is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

• social security, driver’s license, state identification card, or passport numbers
• account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• precise geolocation
• racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
• genetic data

The CCPA offers two exemptions: 

• Personal information collected by a business about a person who was either a job applicant or past/current employee. The exemption is limited to when the business used the information provided “solely” for employment-related actions. 
• The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.

Neither the CCPA and CPRA extend to data already protected by other laws, such as:

• Financial services providers already in compliance with the GLBA 
• Medical information protected under the California Confidentiality of Medical Information Act
• Personal information collected as part of a clinical trial or biomedical research study and subject to the Federal Policy for the Protection of Human Subjects
• Information covered under the Fair Credit Reporting Act 

Compliance requirements

The CCPA creates six specific rights for consumers:

1. The right to know or request disclosure of personal information collected by the business about the consumer. This includes from whom it was collected, why it was collected, and, if sold, to whom.
2. The right to delete personal information collected from the consumer.
3. The right to opt out of the sale of personal information.
4. The right to opt-in to the sale of personal information of consumers under the age of 16.
5. The right to non-discriminatory treatment for exercising any rights.
6. The right to initiate a private cause of action for data breaches.

The CPRA creates three additional rights:

1. The right to opt out of automated decision-making technology.
2. The right to correct inaccurate personal information.
3. The right to limit use and disclosure of sensitive personal information.

Enforcement and penalties

The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency. 

The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Penalties include:

• Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
• Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure. 
• Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper.
• Businesses may also be subject to an injunction in actions brought by the Attorney General.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.