Drive CCPA and CPRA sensitive data compliance
As of January 1, 2023, CPRA extends further protections to “Sensitive Personal Information.” Qohash finds SPI on any data source, in any location, and monitors it 24/7, for evidence of sensitive data policy enforcement.
CCPA and CPRA Overview
The California Consumer Protection Act
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states.
CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information.
CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.
Businesses impacted
CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:
- Had gross annual revenue of $25M as of January 1, 2022 or the preceding calendar year
- Buys, receives or sells personal info of 50,000 or more CA residents, households or devices
- Derives 50% or more of income selling CA residents’ personal info
Note: Businesses need not have operations or employees in CA in order to be subject to CPRA.
CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:
- Consumer reporting agencies that are covered by the Fair Credit Reporting Act
- Financial Institutions covered by the Gramm-Leach-Bliley Act
- Entities covered by the Insurance Information and Privacy Protection Act
For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California.
Data types covered
The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual.
Sensitive Personal Information is a subset of personal information newly defined in the CPRA.
SPI is personal information that reveals:
- social security, driver’s license, state identification card, or passport numbers
- account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
- genetic data
The CCPA offers two exemptions:
- Personal information collected by a business about a person who was either a job applicant or past/current employee. The exemption is limited to when the business used the information
provided “solely” for employment-related actions. - The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.
Neither the CCPA and CPRA extend to data already protected by other laws, such as:
- Financial services providers already in compliance with the GLBA
- Medical information protected under the California Confidentiality of Medical Information Act
- Personal information collected as part of a clinical trial or biomedical research study and subject to the Federal Policy for the Protection of Human Subjects
- Information covered under the Fair Credit Reporting Act
Compliance requirements
The CCPA creates six specific rights for consumers:
- The right to know or request disclosure of personal information collected by the business about the consumer. This includes from whom it was collected, why it was collected, and, if sold, to whom.
- The right to delete personal information collected from the consumer.
- The right to opt out of the sale of personal information.
- The right to opt-in to the sale of personal information of consumers under the age of 16.
- The right to non-discriminatory treatment for exercising any rights.
- The right to initiate a private cause of action for data breaches.
The CPRA creates three additional rights:
- The right to opt out of automated decision-making technology.
- The right to correct inaccurate personal information.
- The right to limit use and disclosure of sensitive personal information.
Enforcement and penalties
The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency.
The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.
Penalties include:
- Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
- Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure.
- Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems
proper. - Businesses may also be subject to an injunction in actions brought by the Attorney General.
How Qohash drives CCPA compliance
Provide evidence to auditors of clear steps taken to secure the confidentiality of customer information and protect it against threats and unauthorized access.
Find sensitive data, everywhere
Qohash solution
The CPRA introduces new requirements for “sensitive personal information.” Businesses must limit the use of SPI and make sure it’s adequately protected.
Conduct privacy risk assessments
Qohash solution
The CPRA requires any business that processes personal data to perform periodic privacy risk assessments and independent cybersecurity audits.
Fulfill deletion requests
Qohash solution
Run keyword searches by name, date, credit card number, and more to find all copies of SPI across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations.
Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.
CCPA/CPRA gives consumers the right to know what SPI is in their possession, correct inaccurate information, and delete sensitive personal data upon request.
Automate data retention
Qohash solution
CCPA/CPRA requires that businesses have data retention policies in place so that data is automatically deleted once it’s no longer relevant to the business.
Schedule a demo
See how you can maintain an inventory of CCPA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.