AI Summarize

Share

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), is a significant piece of legislation that protects the privacy rights of people in California.

These laws set out the privacy rights of consumers in California, and establish rules for how businesses should deal with personal information. As required by these laws, businesses must also implement "reasonable security procedures" to protect this personal data.

This article will cover what personal information is for the CCPA/CPRA, what the difference between privacy and security is in these laws, and what you should do to set up reasonable security measures.

Let's begin.


What are the CCPA/CPRA?

The CPRA expanded upon the California Consumer Privacy Act (CCPA), and came into force in November 2020 (after the CCPA's January 2020 start).

The CPRA increased regulations for businesses, added extra protection for the privacy rights of individuals, and established the California Privacy Protection Agency (CPPA).

The CCPA now gives individuals the right to:

  • Limit the use and disclosure of their personal information
  • Opt out of the sale of their personal information
  • Correct information held about them
  • Know what information businesses hold about them
  • Equal treatment
  • Have their data deleted

The CCPA can apply to businesses outside of California, if they collect information from California residents. Think about whether your website is likely to have American customers, some of which are likely to come from California. If this is the case, you should comply with the CCPA's rules.

Now let's take a look at what personal information is for the purposes of the CCPA.

What is Personal Information under the CCPA/CPRA?

Personal information in the CCPA/CPRA is defined as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Personal information includes, but is not limited to:

  • Identifiers such as:

    • Real name or alias
    • Postal address
    • IP address
    • Email address
    • Social security number
    • Driver's license number
    • Passport number.
  • Commercial information, including records of personal property, or products or services purchased
  • Biometric information
  • Internet information such as browsing or search history, cookies, or advertising data
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences drawn from other information that can create a profile about a consumer reflecting the consumer's preferences, characteristics, behavior, attitudes, or abilities
  • Sensitive personal information.

Now let's take a look at privacy and security under the CCPA/CPRA for how businesses should handle this personal information.

What is the Difference Between Privacy and Security in the CCPA/CPRA?

Like in other privacy laws, privacy in the CCPA/CPRA relates to the individual's rights to control their information. This includes what information is given, to whom, for what purpose, for how long, how it is further shared, transferred or processed, and rights to deletion, amendment, and so on.

Security is how this private information is protected from breach, disclosure, misuse, or loss.

Under the CCPR/CPRA, businesses that collect the personal information of individuals in California must "implement reasonable security procedures and practices appropriate to the nature of the personal information." You can see this in section 1798.100 (e) of the CCPA below:

CCPA Section 1798: Definition of Personal Information

Now let's take a look at what these reasonable security procedures and practices are.

What Do the CCPA and CPRA Require for Reasonable Data Security Measures?

As noted, in the above section 1798.100 (e) the CCPA states businesses "shall implement reasonable security procedures and practices". But "reasonable security" is not defined.

The section says that this security should be implemented "in accordance with Section 1798.81.5," which is another part of the California Civil Code. However, this section also does not define reasonable security. So how should you decide what is reasonable?

Three ways that you can use to decide whether you are using reasonable security procedures and practices include:

  • Using general legal definitions of "reasonable"
  • Following common security standards
  • Looking at examples from other businesses' Privacy Policies

Let's take a look at each of those.

The word "reasonable" is a commonly used legal word, which can provide some help. It is often used in cases of negligence, to decide whether a person has acted negligently, or without "reasonable care".

The Legal Information Institute at Cornell offers this definition of reasonable:

Cornell Legal Information Institute: Definition of Reasonable

The key part is that a reasonable person standard is "the standard of care that a reasonably prudent person would observe under a given set of circumstances." So, when thinking about "reasonable security procedures and practices", you should consider what a prudent person would do, under those same circumstances.

Some factors you should consider include:

  • How sensitive is the data you are collecting? The more sensitive the data, the more protection you need.
  • How much data, or how many different types of data do you collect from an individual? Multiple data forms can be combined to expose an individual. If you collect multiple different pieces of data, apply more protection.
  • How long are you keeping data for? For data kept for longer periods, you will need more protection.
  • What is the service you are collecting data for? If you are collecting data for a health purpose, religious, dating, sexual, or otherwise sensitive services, apply more protection.
  • How likely is it that your business data would be attacked by malicious actors?
  • How likely is it that data could be breached or misused internally?

When you combine these factors and consider what a prudent business owner or website operator would do, it can give you an idea of what might be considered "reasonable".

Now let's take a look at some other approaches you can use to decide how much, and which types of security you should apply to meet the "reasonable" standard.

Following Common Security Recommendations

Common security standards and recommendations can help to inform what is reasonable to protect personal information for the purposes of the CCPA.

Organisations that can provide recommendations include:

  • The National Institute of Standards and Technology (NIST)
  • International Organization for Standardization (ISO)
  • Center for Internet Security (CIS)

Let's take a look at each of those.

NIST

The National Institute of Standards and Technology (NIST) has a number of guidelines and recommendations to improve the cybersecurity of businesses. This can help to protect the personal information of people that you collect, and help you to comply with the CCPA/CPRA requirement for "reasonable" security measures.

For example, NIST suggests the following list of cybersecurity basics:

NIST: Basics of cybersecurity

As you can see, this includes business education, the use of multi-factor authentication, prevention of phishing attacks, the use of strong passwords, anti-virus software, and regularly updating and patching software.

By following recommendations like this and implementing good business and organisational practices, you can improve security and make sure that user privacy is protected.

Other standards may be more detailed, such as ISO 27001. Let's take a look.

ISO 27001

The International Organization for Standardization (ISO) provides standards for information security, cybersecurity and privacy protection. Standard 27001 is described by ISO as "the world's best-known standard for information security management systems".

ISO 27001 includes three main principles that you should follow to maintain strong security and privacy protection. These are confidentiality, integrity and availability.

ISO 27001: Principles of Confidentiality, Integrity and Availability

This means that information should only be available as far as necessary and not further, data should be reliably stored and not damaged, and information should be available when necessary.

When you follow these principles of risk management, your security standards align with the ISO 27001 standard.

You can obtain an ISO certificate if you can demonstrate you are committed and able to manage information securely and safely, in line with the details of the standard.

To do this, you need to take a course and pass exams to show your business and staff understand what is required. This can help to show users and regulators that you are following reasonable security measures.

Center for Internet Security's Critical Security Controls

Another organisation to look at is the Center for Internet Security (CIS) and their Critical Security Controls.

There are 18 CIS Critical Security Controls, including control of assets, data protection through technical controls, secure configuration, vulnerability management, log management, email and web protection, malware defenses, data recovery, network monitoring, the use of secure providers, and more.

Here's an example of the CIS controls 13, 14, and 15, to give you an idea of what they contain:

CIS Controls Overview: 13, 14 and 15

You can see this includes setting up network monitoring and defense, maintaining a security awareness program, and evaluating any service providers you work with for their security practices.

By following such controls, you can significantly improve the security of your business practices and data that you hold.

Practical Examples from Privacy Policies

Many Privacy Policies also contain a security section, which outlines how personal information is protected. By looking at these examples, you can get an idea of what other businesses use to keep data secure.

Here's an example from FRAS Canada that explains how personal data is protected. It notes that built-in security protection is used through Microsoft Azure. It also notes that password-protected systems and encryption are used, and that personnel have been trained about privacy and security.

FRAS Canada: How do we protect personal data in Privacy Policy

You can see the section also notes that data access is restricted on a "need to know" basis, electronic data is protected with firewalls, access controls, and encryption.

This example from Zycus also notes similar approaches, including practices in line with ISO standard 27001. This includes strategic, operational, managerial, technical, and physical security controls.

Zycus Privacy Policy: Section of Data Protection

Also note that personal information is restricted to a "need to know" access system, and that encryption and other technical security controls are applied.

Here's an example from Vericut. This section is quite a bit shorter, but notes that the practices are "appropriate to the nature of the information".

Vericut Privacy Policy: How we protect your personal information

As discussed, the security measures necessary do depend on the type of information you collect, the purposes you need it for, and other factors.

Finally, here's an example from Sclerodema.org's Privacy Policy. Here you can see that processes are followed to ensure data is protected. In addition, independent external and internal audits are conducted.

Scleroderma Privacy Policy: We care about doing it right

This process of auditing can add an extra layer of protection to your security set-up, by helping to make sure that your systems are working as well as you expect them to be.

Summary

The CCPA/CPRA does not define reasonable security procedures and practices. This makes it hard for businesses to know how to protect the security of personal information. You can make use of legal definitions of reasonableness, common security standards such as NIST standards or ISO 27001, and practical methods used by other similar websites or businesses. Make sure that the security measures you apply are fitting to the type of data you collect, and ensure that you have taken actions that a "prudent person" in the same circumstances would have done.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy