What is the CCPA?
CCPA -> California Consumer Privacy Act is a new law that entered into force on January 1, 2020, and its application began in July 2020. It is important to emphasize that because, once the application starts, it will be reviewed 12 months ago, which means that companies should already begin to comply. The law is designed to provide California residents the right to know what personal data is collected about them if it is sold or disclosed and to whom, access their data, and demand that it is deleted. The law is similar to GDPR but has its differences, including device identification and personal information.
Whom does the CCPA apply to?
CCPA applies to all businesses and any for-profit entities that do business in California and satisfy one or more of the following:
• Annual gross revenue > $25 million
• Process personal information of > 50 000 consumers, households, or devices
• Earns more than half of annual income from selling consumer personal information
What does CCPA say about data classification?
Well, nothing. There are no requirements in CCPA that state that businesses need to perform data classification.
There are still several other aspects where having performed a data classification would contribute to compliance with the regulation.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. If all the data collected is in a structured database, you may have control but extracting the information to make reports and analysis in excel; you lose control. This is where performing data classification can help.
According to subdivision (a), a business that receives a verifiable request from a consumer to delete the consumer’s personal information according to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records. To ensure that you also remove the personal data from all documents to reduce the risk of leakage or that the report finds its way back into the database somehow.
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action. Keep control over where you process personal information so that you can protect it accordingly. An excellent way to keep control is to classify the documents to know where you have confidential information that needs the highest degree of protection.
Summary: There is no requirement for doing data classification, but there are requirements for knowing what data you are processing (data inventory), where it is, and protect it according to its criticality.