Common Questions for CCPA Breach Notification Compliance:
The CCPA applies to for-profit entities that: (1) collect consumer personal information, (2) do business in California, and (3) meet any one of the following criteria:
- Does the company have gross revenue greater than $25 million?
- Does the company buy, receive, sell, or share the personal information of 50,000 or more consumers, households or devices on an annual basis?
- Does the company receive 50% or more of its annual revenue from selling consumer personal information?
Assuming that a company (1) collects consumer personal information and (2) meets one or more of these three criteria, doing business in California means much more than being physically located in California.
For example, it includes companies that maintain mailing lists that include California residents, companies that collect online user information, companies that ship goods into California, and companies that provide services to California residents.
Under the CCPA, the definition of Personal Information is relatively broad, as it includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email, biometric information, geolocation data, household data, and IP address.
The CCPA does not exempt certain entities, such as HIPAA or GLBA regulated entities.
However, it does exempt specific data collected in certain contexts by those entities. For example, the CCPA does not apply to Personal Health Information as defined by HIPAA, but it does apply to data collected by a HIPAA regulated entity that does not fall within that definition. Similarly, the CCPA does not apply to Personal Information collected by financial services companies pursuant to the GLBA, but it does apply to other information collected by those entities, such as information collected via marketing promotions.
As a result, if you are a HIPAA or GLBA regulated entity, it is incredibly important to understand the context in which the data is collected.
Private right of action applies to a breach of data regulated under the general data breach notification law, not for the expanded data regulated under CCPA. It is critical that your organization have a clear understanding of what data elements are regulated under which laws to avoid over or under reporting. While every incident comes with a presumption of breach, not every incident should trigger breach notification obligations. Only a consistent, defensible multi-factor incident risk assessment can help you avoid over-reporting.
In fact, Radar benchmarking data indicates less than 6% of the incidents impacting California residents in the past 2.5 years have triggered notification with best practices in privacy incident response.
Breaches under CCPA do not necessarily affect the breach notification obligations under California law.
You can have a violation of the CCPA that does not trigger breach notification under the breach notification law. Two example cases worth considering:
- Geolocation and IP Address
- Paper data
Radar and CCPA
A proactive approach to mitigate risk and remain compliant
Leverage the depth of the Radar platform to comply with the CCPA and meet regulatory requirements for breach notification in the state of California and beyond.
KNOW THE LAW
Stay ahead of changing privacy regulations through continuous monitoring of legislative updates
PRACTICE, PRACTICE, PRACTICE
Perform regular simulations and table-top exercises to better understand your company’s risk and identify areas for improvement within your privacy and incident response programs
UNDERSTAND YOUR DATA
Analyze your data inventories and determine what data is subject to the CCPA (or other applicable laws, see below) at the data flow and data element level
DOCUMENT AND IMPROVE
Track your privacy incidents and notifications over time, capturing enough data to establish benchmarks, run trends analysis, and report on key metrics
Additional CCPA Resources
Meet Breach Notification Requirements in California & Beyond
Organizations subject to the CCPA are also likely to find themselves subject to the state’s existing breach notification regulations, including the California general breach notification law, sector-specific federal (HIPAA & GLBA) and state (California Health and Safety Code, Department of Insurance) regulations.