What is CCPA? – In a nutshell, CCPA is essentially the California version of GDPR but with a few twists to it. As was fully discovered by the implementation of GDPR with numerous investigations and fines being levied against Facebook and Google, the California government was clearly concerned about the privacy of the citizens of California. Never mind that this opened numerous opportunities for the California government to levy fines against negligent business!! Regardless, it should be fully understood that the requirements for CCPA "changed" as CCPA was being implemented and further "changes" have since happened and will likely to happen. Thus...everything is in motion and we still are not entirely sure if other changes will happen.
As it is though, individuals (and households) have increased rights as in pertains to their data but far less than just GDPR, which may be either a good or bad thing. The basic rights that should be understood are:
- Right to know what information a company has about you
- Right to delete that information
- Right to opt out
- Right to data portability
- Right to require companies to not sell that information
However, on 1/1/2023, additional rights will be afforded to data subjects:
- Right to rectify - essentially the right to change information that you determine to be incorrect.
- Right to limit the use of, and disclosure of, sensitive information - now you can direct companies to use your information in a specific manner.
- Right to access information in relation to automated decision making - you have the right to understand how automated decision making happens, and why, as it relates to your information.
- Right to opt out of automated decision making - If you don't like how the automated decision makers came up with whatever decision...you can make a company stop doing it.
It's important to note that these right apply to individuals but also households. Yes, essentially, your house now has rights and if someone who resides in that household chooses to exercise their rights then everyone in the household is affected.
As a company how much should I care? - Great question. First you have to qualify for CCPA. These requirements are below and we'll discuss each in turn.
- California Business
- Global revenue more than $25M
- Collect information on more than 50K end consumers
- 50% or more revenue from selling information
- You are a "for-profit" entity
So what does this mean? - Well, if you fall under certain circumstances then you "may" fall under CCPA. However that doesn't mean you will fall under CCPA but does mean you should be sensitive to CCPA as it relates to how you run your business with California residents. However it also opens up areas of debate and possible loopholes.
Let's discuss each area however, for anything other than a California Business, meeting the requirements for even one area qualifies under CCPA.
- California Business - The main point to understand is that if you don't do business in California then you are likely OK. Additionally, if you aren't a California business at all then you are also likely OK. What can come into play though is if you have California citizens as customers. If so, you "may" fall under CCPA or, at least, if there is a CCPA incident then you "may" be sought after by the California Attorney General. However, to reiterate, if you aren't a California business then that's a pretty good loophole to understand and, even if you did have California customers, you have the ability to require that customer to prove they were in California when they received your services as California law doesn't extend outside of the state of California. We personally view this as the very first requirement to determine if CCPA is of concern...are you a California business or not? However, if you have even a single California resident and meet the other requirements then you should be prepared.
- Global revenue more than $25M - If you don't make more than $25M then you are probably good. Conceptually it "feels like" this was done to protect start-up businesses from instantly getting fined. However, from an alternate viewpoint, if a company is going to get fined then lets ensure the company is going to get a hefty fine.
- Collect information on more than 50K end consumers - Firstly, having to collect the information is a task in itself, but let's assume that the company was an online company that provided blogging services, or maybe a travel agency, where the company was small but dealt with a large amount of personal information. Then you would fall under this category. It is assumed that the travel agency concept is the reasoning behind this however a large number of very small companies now service a very large number of end users online but only have a staff of 10 people. CCPA has this in mind and can fine you accordingly.
- 50% or more revenue from selling information - while this likely doesn't affect most of us, there are some data brokers out there that sell information for the express purpose of providing "marketing leads" to other companies. This could be a one man company and would still apply under CCPA.
- For-Profit entity - here we have a great loop hole. Non-profits can be excluded provided they do not own or manage a for-profit entity that would fall under CCPA. So, if a non-profit has a subordinate for-profit entity then that non-profit is now eligible for CCPA.
*Note - What should also be understood is that if a company handles sensitive information for 4M or more user information then additional obligations will apply and are not covered in this article.
Arrakis can help you become more compliant or remain compliant by offering an unbiased 3rd party assessment that is specifically tailored around the framework or regulation you are required to conform to as well as help reduce your overall risk.
Additionally, Arrakis can provide regulatory or compliance training to your company to help better prepare you for a regulatory environment. Click here to see just some of our options to train you in regulatory compliance.
These solutions can be in several forms:
3rd party audits and assessments - All major frameworks require a 3rd party assessment to be performed in the areas of vulnerability assessment, risk assessment, or 3rd party audit of your information systems. Arrakis can be your trusted advisor that will provide an unbiased and brutal honesty assessment of where you feel weak or where you feel a regulatory agency may target you. Don't be caught short in high risk compliance areas like CMMC, GDPR, FFIEC, FISMA, etc...
Business Impact Analysis (BIA) - As a matter of good practice, a BIA should be done at least yearly to ensure that you completely understand the level of impact to your business should any portion of your business process fail. How long can you stay down without major incident? How long can you stay down before your customers decide to move to another solutions provider? Knowing the impact, both qualitative and quantitative, to your business is vital and required. Arrakis can help you realize exactly what your impact is.
Gap Analysis - regardless of what framework you are required to follow there is always something that needs to be reviewed to see where your gaps, or weaknesses, are so you have targeted and actionable items to focus your remediation or improvement efforts. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, NIST, etc...
Framework implementation, consultation, or support - All companies that process regulated data are required to conform to some security framework. Whether it be CMMC, GDPR, NIST 800-53, NIST 800.171, ISO 27001, FFIEC, etc... we can help implement or provide consultation services to make your current implementation easier. Additionally, in several situations, companies have to conform to multiple frameworks or create a hybrid framework that reduces the regulatory risk to the company and executives. Arrakis can help guide you down the path of confusion to a clear outcome.
vCISO/CISO as a service - Some companies simply do not have the budget, experience, or training to have a CISO or an information security department. While all frameworks require a security department and a CISO it simply isn't in the budget or there isn't enough technical work to justify hiring the appropriate personnel. Arrakis can help you be acting as a trusted advisor to the CIO or COO to your company and essentially performs CISO functions. Technically, by the frameworks, someone in the company still must have the title of CISO however none of the frameworks indicate that the actual "work" can't be outsourced to a reputable 3rd party. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...
vCIO/CIO as a service - Similar to the CISO as a service bullet item, some companies are more focused on building their business and increasing their profit margin and just don't have the time or experience to perform CIO functions. They have strategy without execution because of a lack of ability to execute. Arrakis can help be the IT glue that binds all the technological functions into a cohesive package to fill this gap. The professionals at Arrakis have, on average, over 20 years of experience in all aspects of IT including managerial functions such as budgeting, project management, and process improvement.
Governance, Risk, and Compliance - Regardless of what framework your company is required to follow or the level of maturity all companies bear some risk because they are in business. Our GRC people can help your company stay in compliance with regulations, assess and track risk to your company, and provide an easy to follow governance model to ensure that your company operates in a stable manner that keeps the auditors happy. Don't be caught short in high risk compliance areas like CMMC, GDPR, FFIEC, FISMA, etc...
Policy Creation and Review - Quite often companies have some form of policies in place but a majority of the time those policies simply do not meet the requirements of the auditors or the required frameworks the company is supposed to follow. While the intention of the company is to be compliant, the deficient policies do not help and only bring closer attention of the auditors. Arrakis has years of experience writing policy and can help bring you up to speed with the frameworks and provide for an easier success rate when it is time to be audited.
Tugboat Logic - Coupled with a GRC program, Tugboat Logic (TBL) can be a solid investment towards lowering and visualizing your risk. Our professionals have years of experience with TBL and other GRC programs as well as industry GRC certifications from OCEG.