The California Consumer Privacy Act (CCPA) is a state law that protects citizens of California from private data abuses and exposures. The legislation was passed in 2018, following a petition by a privacy group called Californians for Consumer Privacy. It went into effect on January 1, 2020.
An amendment to CCPA, the California Privacy Rights Act (CPRA), introduces new applicability criteria and stricter regulations than the CCPA, as well as heftier fines for organizations that fail to comply. CPRA was passed in 2020 and goes into full effect on January 1, 2023.
CCPA protects personal data, which is defined by the legislation as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes:
CCPA applies to any business that collects, processes and stores data on California citizens, regardless of whether they have a physical presence in the state. Organizations that do business with Californians must comply with the CCPA if they meet any of these criteria:
A lot of businesses have found it easier to apply the CCPA across the country rather than distinguish California residents. Furthermore, CCPA — and its European predecessor, the General Data Privacy Regulation (GDPR) — is thought to be the first of many privacy regulations to come. Some organizations have chosen to adopt the requirements in anticipation of future restrictions and to build consumer trust.
Businesses are CCPA compliant when they adhere to the regulations outlined in the legislation. At the core of CCPA are the data privacy rights given to California citizens, and these have many implications for how and when businesses can store personal data.
In addition, businesses are required to have a privacy policy and give consumers certain notices when data is breached.
CCPA requires companies to allow consumers to choose not to have their data shared with third parties. That means that companies will now have to ensure that their this-party vendors cannot access sensitive data.
Furthermore, organizations are not only responsible for upholding the consumer rights themselves, but also for whether or not their third-party vendors also comply. Such vendors often provide JavaScript code snippets, including social media pixels, chatbots tracking scripts and payment iframes.
If consumer data is exposed on your site because of an attack on a third-party vendor, you are no longer compliant with CCPA and liable for any damages that result. Even if third-party code accesses sensitive data on a site non-maliciously, the website owner could still be in violation of CCPA.
Third-party code vendors often state in their legal agreements that they aren’t responsible for what data gets grabbed by their systems. If they do get access to sensitive data, they are free from liability because the onus was on the website to not grant access in the first place. It is critical to continuously audit third-party code and always verify that it is collecting expected data.
Using client-side JavaScript leaves websites at risk of a supply chain attack that exposes protected data. Here’s why:
By leveraging vulnerabilities in client-side code, cybercriminals can conduct digital skimming and PII harvesting attacks. If consumer data is exposed due to an attack on your site, you could be forced to pay a hefty CCPA fine.
The penalties for CCPA noncompliance with the CCPA are severe. Organizations can receive fines up to $2,500 per accidental violation and up to $7,500 for each time the law is purposely broken. The penalties follow a notice from the California attorney general's office and a 30-day grace period to rectify the situation.
CCPA allows civil suits if an organization allows unauthorized access, theft, or disclosure of protected data because it failed to use reasonable data security measures. Judgments can reach $750 per affected consumer.
In addition, CCPA allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Many well-known brands have been heavily fined for CCPA violations.
HUMAN Client-Side Defense provides real-time visibility and granular control into the client-side supply chain attack surface. The solution identifies vulnerabilities and anomalous behavior, and proactively mitigates risk using a combination of Content Security Policy (CSP), granular JavaScript blocking, and comprehensive client-side mitigation. This allows website owners to prevent known malicious scripts from loading and transmitting personal data, as well as to block third-party JavaScript from accessing sensitive form fields, without disabling the entire script. Client-Side Defense safeguards users’ PII against unauthorized exposure, helping to ensure CCPA compliance.
What is GDPR? | Data Types Protected | GDPR Compliance Requirements
What is PCI DSS Compliance? | Requirements & How to Comply
What is Personally Identifiable Information (PII) Harvesting?
What is Digital Skimming and How Does It Work?
Supply Chain Attacks | What They are & How to Prevent Them