The California Consumer Privacy Act (CCPA) passed in 2018 and went into effect on January 1, 2020. Key provisions of the CCPA include:
1798.105
(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (A) of paragraph (5) of subdivision (a) of Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.
(c) A business that receives a verifiable request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.
1798.110
(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
This suggests the need for CCPA data protection software capable of finding and classifying, de-identifying or removing -- and auditing changes to -- customer records. All of these features are in the affordable IRI FieldShield, CellShield EE and DarkShield data masking tools, or the comprehensive IRI Voracity data management platform which includes them.
The penalties for non-compliance are severe, and failing to comply is an option no business should take. As enforced under 1798.150:
- (a) (1) Any consumer whose nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- (B) Injunctive or declaratory relief.
- (C) Any other relief the court deems proper.
Static data masking tools can help you comply with the CCPA. The proven data masking tools and services from IRI deliver:
- multi-source data profiling, classification, search, extraction and reporting functions for DSARs
- data deletion or de-identification functions for PII everywhere, to comply with the right to erasure
- multiple redaction, encryption, pseudonymization, anonymization and other data obfuscation methods
- the ability to extract, structure, reformat and deliver PII to provide for data reporting and record portability
- peer-reviewed re-ID risk scoring to measure the likelihood of exposing someone even from demographic data
- qualsi-identifier blurring (random noise) and bucketing (generatlization) to anonymize data and preserve its value
- query-ready data search and mask job logs -- internal or displayed in SIEM tools -- for CCPA compliance verification
