What is CCPA?

The California Consumer Privacy Act (CCPA) is a state statute signed into law in 2018 with the intent of enhancing privacy rights and consumer protection for residents of the state. The law, which went into effect in January 2020, gives consumers more control over the personal information that businesses collect about them and establishes new consumer privacy rights, including:

• The right to know what personal information a business collects about them and how it is used and shared
• The right to have their personal information deleted
• The right to opt-out of the sale of their personal information
• The right to non-discrimination for exercising their CCPA rights

The rights listed above must be included in the business’s Privacy Policy, which must be provided to consumers in an easy to read, understandable, and printable format.

The CCPA requires businesses to provide the following notices to consumers in easy to read and understandable format:

• Privacy Policy
• Notice of Collection of Personal Information
• Notice of Right to Opt-Out of Sale of Personal Information
• Notice of Financial Incentive

The CCPA applies to any for-profit business that conducts business in California and meets any of the following criteria:

• Has gross annual revenues above $25 million
• Buys or sells the personal information of 50,000 or more California residents, households or devices
• Generates 50% or more of its annual revenue from selling the personal information of California residents

Businesses found to be out of compliance with the CCPA are subject to financial penalties of $2,500 for each accidental violation, $7,500 for each intentional violation, plus $750 in civil damages per affected consumer.

To meet CCPA compliance, businesses must encrypt consumer personal information, as noted in Section 1798.150 of the Act: “Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

A. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

B. Injunctive or declaratory relief.

C. Any other relief the court deems proper."

To put it in simpler terms, if unencrypted consumer data is stolen from a business, affected individuals can sue that business to the tune of either $750 maximum per consumer, or actual damages, whichever is greater.

Consumers can sue a business under the CCPA only if certain conditions are met. The stolen personal information must include the consumer’s first name (or first initial) and last name in combination with the consumer’s:

• Social security number
• Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
• Financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to the consumer’s account
• Medical or health insurance information
• Fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)

Notably, this information must have been stolen in nonencrypted and nonredacted form.

The CCPA itself does not discuss encryption keys. However, let us refer again to Section 1798.150 of the Act (see “Is data encryption required for CCPA compliance?” above) and the statement “…unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices…” (underline added for emphasis). Assuming the records had been encrypted, it would be prudent to expect a post-breach audit to include a review of how and where the encryption keys were maintained. If the keys were stored in the same location as the stolen records or kept in another system with a similar level of protection, such procedures and practices may not rise to the level of “reasonable” in the auditor’s eyes. Therefore, it is advisable to protect encryption keys separately from encrypted data.

Additionally, related legislation goes further to address the consequences businesses face as a result of a breach of consumer information where records were not encrypted or where both encrypted data and encryption keys were stolen. Specifically, as part of an amendment to Assembly Bill 1130, section 1798.82 of the California Civil Code reads, in part:

“A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

The CCPA regulation is broad in scope and requires businesses to take several steps to inform consumers of their rights as well as protect their personal information. A comprehensive CCPA solution will incorporate capabilities such as data encryption, timely consumer notifications, and customer service.

While California was the first to enact an extensive data privacy law, many other states have either adopted or have legislation in progress that aims to adopt requirements similar to the CCPA. As of mid-2022, four other states – Colorado, Connecticut, Utah, and Virginia – have enacted consumer data privacy laws, with each going into effect in 2023. At least a dozen other states have data privacy legislation in progress and more are expected to follow suit.