Skip to main content
Aug 07, 2019

Here Comes CCPA

Ready Or Not, Here It Comes!

As of publication, there are 147 days left until CCPA and SB-327 come into effect. If you are not familiar with these two acronyms, you’ll want to listen up. With these two new regulations, the State of California is about to surpass the European Union for the strictest cybersecurity and consumer protection regulations in the world -- including massive potential fines for organizations that fail to secure the personal data of their customers.

the State of California is about to surpass the European Union for the strictest cybersecurity and consumer protection regulations in the world

CCPA: California Consumer Privacy Act

Following in the footsteps of The European General Data Protection Regulation (GDPR) which went into effect on May 25, 2018, CCPA is America’s first — and most aggressive — state data privacy law designed to hold organizations responsible for protecting personal information and private data of California residents doing business with that organization.

“A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

3 Key Components Of CCPA

  • Gives Consumers Ownership: Protects a consumer's right to tell a business not to share or sell their personal information.

Under this section of the regulation, a consumer has the right to know what personal information is being gathered by an organization about themself, their devices and their children — and gives a consumer the right to say NO to the collection and storage of that data. If a business collects a consumer’s personal information, once a year and free of charge they have to disclose what information has been collected. If a business sells a consumer’s personal information, they have to tell the consumer what categories of personal information they are selling and to whom they sold the information.

  • Gives Consumers Control: Lets consumers gain control over the personal information that is collected about them.

CCPA gives consumers the right to “opt out” and specifically tell businesses not to share and not to sell their personal data — and it requires a clear and easy way to choose this option — there is no hiding the opt out clause somewhere deep in a privacy policy or dense terms & conditions contract. It also prevents discrimination against people who excersize their right to opt out of data sharing. If a consumer decides to opt out, a business cannot 1) deny goods or services; 2) charge different prices or rates, including through the use of discounts, other benefits or impose penalties; 3) provide a different level of service or quality of goods; and 4) suggest the consumer will receive a different price, rate, level or quality of goods or services.

  • Gives Consumers Recourse: Hold businesses responsible for safeguarding consumers personal information.

This is where CCPA gets serious — increasing fines and penalties for violations to finally have the teeth needed to make it really hurt businesses that don’t take data security seriously. Intentional violations of CCPA can bring civil penalties of up to $7,500 for each violation and up to $2,500 for other violations. While further clarification is still needed on how fines will be doled out, if a violation is assessed for each consumer whose personal data is impacted by a data breach, the fines for a massive data breach could easily reach billions of dollars because there is no cap on the fines levied.

Most Small Business Are Exempt

CCPA applies to any for-profit entity that collects consumers’ personal data, does business in the state of California and satisfies one of the following thresholds: 1) has annual gross revenues in excess of $25 million; 2) possesses the personal information of over 50,000 or more consumers, households or devices; or 3) earns more than half of its annual revenue from selling consumers’ personal information.

SB-327: Information privacy for connected devices

“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

As we previously wrote, California’s new IoT device regulation — which also goes into effect on January 1, 2020 — requires the manufacturer of any device with an IP or Bluetooth address to put “reasonable” new security measures in place to protect the device and any information contained on that device. While this is a good first step, there is a lot of room for interpretation of what is considered “reasonable,” and there are no specified penalties for lack of compliance at this time. However, in conjunction with CCPA, manufacturers should take note of the potential impact on their organizations for any missteps if they plan to continue doing business with California residents.

How Should You Prepare for January 1, 2020?

Unlike with the GDPR deadline, you are unlikely to receive a slew of updated privacy policies hitting your inbox on December 31st. But, as a consumer, you SHOULD notice the emergence of new “opt out” boxes on websites asking to collect or store any of your personal information.

From a business perspective, the key to success is 1) know your data and 2) secure your data. Understanding where sensitive data resides and how it is accessed across all of your systems, devices and applications is critical. If you didn’t conduct a thorough data audit in preparation for the GDPR, now is the time to start.

Once your data audit is complete, look to see how sensitive data is being accessed. Organizations typically start at the database and add layers of protection from the data center out. Don’t forget to look from the outside in! In today’s world, applications are often the first interaction between a consumer and a business —whether it is an app on a mobile device or a web app inside a browser — apps are everywhere and they are a primary collection point for a consumer’s personal information.

Take a look at your apps. Understand what information is used or collected inside the app. See how the app interacts with your backend infrastructure. Does it use APIs? User credentials or tokens to access back office systems? How is the app secured? How is the data secured at rest and in transit?

Data privacy is about to get serious. Are you ready?

Deborah Clark McGinn

Deborah Clark McGinn is the VP of Global Marketing at Arxan. She has over 15 years of experience in enterprise, SMB and consumer marketing. Prior to Arxan, Mrs. McGinn led Global Product Marketing for Neustar’s Security and Risk divisions and Symantec’s Norton Consumer and Small Business Unit. She was responsible for bringing products to market with innovative strategies to break into new categories and markets, including launching the consumer mobile security business for Norton and web application firewall business for Neustar. She holds an MBA from the Leonard N. Stern School of Business at New York University and a BA from the University of California, Berkeley.

More from the Blog
Aug 01, 2019

A Wake-up Call to the Financial Services Industry and Legislators: It’s Time to Regulate Mobile Apps

The time for resting on laurels is over.
Read more
Jun 26, 2019

The Mobile App Vulnerability Epidemic and Its Impact on Global Business

There is a widespread mobile app vulnerability epidemic unfolding and it’s impacting organizations across industries around t ...
Read more
Jan 28, 2019

Data Privacy Day: Will New Privacy Fines and Rulings Finally Drive Better Security?

Data privacy has been in the news a lot lately, from the EU’s General Data Protection Regulation (
Read more