The California Consumer Privacy Act (CCPA) passed in 2018 and went into effect on January 1, 2020. Key provisions of the CCPA include:
(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (A) of paragraph (5) of subdivision (a) of Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.
(c) A business that receives a verifiable request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.
(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
This suggests the need for software capable of finding and classifying, de-identifying or removing, and auditing changes to customer records. All of these features are in the affordable IRI FieldShield, CellShield EE and DarkShield data masking products, or the comprehensive IRI Voracity data management platform which includes them.
The penalties for non-compliance are severe, and failing to comply is an option no business should take. As enforced under 1798.150:
- (a) (1) Any consumer whose nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- (B) Injunctive or declaratory relief.
- (C) Any other relief the court deems proper.
- state-of-the-art, multi-source data searching, profiling and cataloging functions for DSARs
- deletion or removal functionality for PII everywhere, to comply with the right to erasure
- multiple redaction, encryption, pseudonymization and other PII de-identification methods
- the ability to extract, structure, reformat and deliver PII to faciltate data reporting and record portability
- peer-reviewed re-ID risk scoring algorithms to determine the risk of re-identification based on quasi-identifiers
- demographic data blurring (random noise) and bucketing (generatlization) to anonymize data and preserve its value
- automatic, query-ready data profiling and audit logging -- internally, or via SIEM tools, to support compliance verification