Technological advancements have already reached a stage where Artificial Intelligence is racing to replace human tasks. To achieve this, machines need a massive amount of data. This has resulted in the exponential growth of data mining, which has, in turn, increased the risk of data breaches.
Foreseeing this, countries worldwide have developed various laws to protect the data and privacy of their citizens. CCPA is one such act signed as law on June 28, 2018, enacted on January 1, 2020, and enforced on July 2020.
If a company’s annual gross revenue exceeds $25 million, or if they collect or sell data from 50,000 or more California residents, or if they generate over 50% of their revenue from selling Californian’s personal information, they are required to follow CCPA regulations.
What is CCPA?
California Consumer Privacy Act (CCPA) state-wide privacy law regulates businesses’ use of individual data. Under CCPA, California citizens have the right to know what information is being collected and shared, and companies must disclose the name of any third-party service providers involved in the data processing. Additionally, the law gives consumers control over the data collected by businesses.
Who should comply with CCPA?
The CCPA applies to businesses that collect and process the personal information of California residents based on specific criteria. To determine if a business needs to comply with CCPA, the following factors are considered:
- Annual gross revenue,
- Consumer data threshold,
- And revenue from selling personal information.
To elaborate, if a company’s annual gross revenue exceeds $25 million, or if they collect or sell data from 50,000 or more California residents, or if they generate over 50% of their revenue from selling Californian’s personal information, they are required to follow CCPA regulations. It is essential to understand that CCPA sets these criteria to protect the privacy rights of California consumers, and businesses that meet these requirements must ensure compliance.
Non-profit organisations and government institutions are excluded from being CCPA compliant.
Which entities are exempt from CCPA regulations?
Businesses that are already subjected to strict federal data protection regulations, such as the healthcare industry following HIPAA, banks and financial companies following GLBA, and credit reporting agencies following the Fair Credit Reporting Act (FCRA). Non-profit organisations and government institutions are also excluded from being CCPA compliant.
What are the consumer rights protected by CCPA?
Right to know
Consumers have a right to know about the personal information that businesses gather about them and how it is used and shared. This provision aims to enhance consumer control and promote accountability in the handling of personal information by businesses.
Right to delete
Businesses must give the consumer the right to delete any information already shared with the company. If the company is required to maintain the data for legal purposes, the consumer cannot delete the data.
Right to opt-out
Opt-out links should be provided in sign-up forms so that consumers can choose whether or not to receive promotional posts or company-related news and be able to opt out at any time. Even if they had opt-in initially, they must be allowed to opt out whenever they want. Once they opt out, the business should only pass a request to opt in after 12 months.
Right to non-discrimination
The right to non-discrimination under CCPA ensures that individuals who exercise their privacy rights are not subjected to unfair or discriminatory treatment by businesses. This promotes fairness and equal treatment for all individuals,
Right to disclosure
Similar to the ‘right to know’, the right to disclosure requires companies to inform their customers about the purpose of collecting each data set and how it will be utilized.
Right to correct
Businesses must allow consumers to correct or amend any inaccurate or incomplete personal information held by businesses, ensuring the accuracy and integrity of their personal data.
Right to disclosure
Similar to the ‘right to know’, the right to disclosure requires companies to inform their customers about the purpose of collecting each data set and how it will be utilized.
Right to limit
Businesses must only collect and store data required to provide customer service. Only the personal information that is required for the work should be managed.
Right to be notified
The right to be notified, a fundamental aspect of the CCPA, requires businesses to inform consumers about collecting, using, and sharing their personal information prior to or during the collection of data. This empowers individuals to make informed decisions regarding data sharing and promotes transparency in data handling practices.
CCPA also mandates periodic privacy policy updates. So that consumers are updated on the amount of data that the company is collecting. This could also enable the consumers to see if a new form of data is collected or shared with a third party.
How to deliver effective CCPA awareness training for your employees?
Set your objectives
The first step is understanding your objectives by identifying organisational risks and employee behaviour. This will help you determine which areas of your organisation require more support and training. Additionally, assessing the behaviour of your employees will help you identify their weaknesses, which can be addressed through appropriate training. Here you need to understand your organisation’s data protection and privacy requirements to set your supporting security awareness training.
Assess the current knowledge level
Conduct assessments to determine your employees’ understanding of data protection, privacy, and CCPA law. The results will guide training development to address any knowledge gaps and enable you to customise your security awareness program to meet their individual needs.
Create interactive learning modules
Create informative and engaging content that covers all aspects of CCPA. Ensure it is easy for employees to understand and includes relatable real-life examples and scenarios. Keep the content up-to-date and include quizzes and assessments to improve learning.
Bite-sized or Big sized training
At Security Quotient, we provide organisations with micro-learning and e-learning courses designed to enhance their employees’ security awareness. Our courses are conveniently designed to be completed in under 5 minutes and cover various topics. Our dedicated micro-learning app provides interactive quizzes to enhance the learning experience.
Here is a recommended CCPA awareness training syllabus.
1. CCPA Overview
- What is CCPA?
- Purpose of CCPA.
- Basic terms and definitions
2. What is covered under CCPA?
- Applicability of CCPA
- Businesses subject to CCPA
- Consumers under CCPA
3. Consumer rights under CCPA
- Right to know
- Right to Delete
- Right to Opt-Out of Sale
- Right to Non-Discrimination
- Right to Correct
- Right to Limit
- Right to Disclosure
- Right to be Notified
4. Data Collection, Processing, and Sale
- Understanding Personal Information
- Transparency in Data Collection
- Purpose of Data Processing
- Conditions for Sale of Personal Information
5. CCPA and Your Role as an Employee
- Responsibilities under CCPA
- Impact on Day-to-Day Operations
6. Non-Compliance and Penalties
- Consequences of Non-compliance
- Civil and Statutory Penalties
- Liability in Case of Data Breach
7. Best Practices for CCPA Compliance
- Data Mapping and Inventory
- Privacy Policy and Notice Updates
- Consumer Request Management
- Vendor Management
8. Quiz and assessment
Concluding notes
Training your employees on CCPA awareness is essential to protect your organisation’s data privacy. This training is a legal requirement and promotes a culture of data privacy, transparency, and trust among consumers. Investing in CCPA awareness training helps avoid potential penalties and strengthens your reputation as a privacy-conscious organisation.
