CCPA Guide
CCPA for Developers
The California Consumer Privacy Act (CCPA) is a comprehensive data protection law that went into effect on January 1, 2020. The data security framework has a major impact on both consumers and businesses. Achieving compliance shouldn’t be a struggle; here is a simple checklist to help you harden your CCPA compliance.
CCPA Guide
Expand all 
Data mapping is the first step to CCPA compliance. In order to comply with the law, business will need to know what data is collected, where it is collected, where it is stored, and how it flows through the organization.
Requirements
- In order to comply with the law, business will need to know what data is collected, where it is collected, where it is stored, and how it flows through the organization.
Tools
- Application inventories detailing things like service names, ownership, host names, data types, patching information, etc
- Data mapping
Operational Suggestions
- Designate a single source of truth for all data
- Maintain lineage and tracing for all data
In order to handle CCPA data requests, business need to inform consumers of why and how data is being used.
Requirements
-
Your privacy policy should be available on the website.
It should disclose to the consumer:
- The categories of personal information to be collected
- The purpose for the use
- The right to ask for deletion of personal information
- That the business sells personal information and that the consumer has the right to opt out. If the business does not sell personal information it should state that in the privacy policy
Tools
-
Create a pop up privacy notice at or before the point of
collection with a link to the full privacy notice,
include.
- Categories of personal information to be collected
- Purpose of the use
Operational Suggestions
- Work with your privacy officer and/or legal department to craft a standard privacy notice for the website and an abbreviated pop-up policy at the point data is collected
- Ensure that contracts with third parties prohibit the sale of any data transferred to the third party unless they have express consent from the consumer
Example Usage
Request
curl https://api.verygoodsecurity.com/requests?user-id=1Response
{
"data": [{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "tnt1.sandbox.verygoodproxy.com",
"actionType": "CREATED",
"createdAt": "2020-01-13T13:21:14.978939"
"aliases": [{
"alias": "4e185065-62c0-45ab-8fda-8b15e45786e7",
"createdAt": "2020-01-13T13:21:14.978939"
}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
},
{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "mailchimp.com",
"actionType": "RETRIEVED",
"createdAt": "2020-01-21T10:55:20.123832"
"aliases": [{
"alias": "4e185065-62c0-45ab-8fda-8b15e45786e7",
"createdAt": "2020-01-13T13:21:14.978939"
}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
}]
}Businesses must handle incoming consumer requests and verify that they originate from the owner of the data before fulfilling those requests.
Requirements
- Consumers have the right to request information on what data you have collected about them and/or sold in the previous 12 months
- Businesses must verify that the request is valid
- Consumers can only make 2 requests in a 12-month period.
-
Handling consumer requests:
-
Two methods for handling consumer requests
- A toll-free number
- A web page with a form or other means of initiating a request
- Must be handled within 45 days, or with an extension within 90 days
- Data must be reported for a 12 month period preceding receipt of request
-
Must be in a readily usable format that allows them
to transfer the information to another entity
- Can be shared via download functionalities within the consumer’s online account
- If no account, it should be sent in a readily usable format that allows the consumer to transmit the information to another entity
-
Two methods for handling consumer requests
Tools
- Toll-free number
- Link to a Website form
- Consumer portal function
- Portable media to provide to customers if needed
Operational Suggestions
- Develop a process to verify consumer requests
- Create a dedicated email account to receive requests
Data collection and use should be limited to that which is necessary.
Requirements
- Data should be collected for a specific purpose and only the minimum amount of data needed should be collected
Tools
- Privacy applications with data minimization analysis functions
- Business Requirements Documents
Operational Suggestions
- Ensure data collection is in line with your privacy notice
- When designing forms or other data collection functionality, make sure that the data required is only the minimum amount needed for the purpose. If you don’t need social security number, don’t ask for it. (Data Minimization)
- Purpose limitation to ensure that when you are using data internally that it is being used in line with the privacy policy
- Document the results and requirements
Requirements
- Consumers have the right to request information on what data you have collected about them and/or sold in the previous 12 months
- Businesses must verify that the request is valid
- Business must provide the consumer with access to their data
Tools
- Ability to query and export data for a given consumer
- Portable media to provide to customers if needed
Operational Suggestions
- Do not allow consumers to provide their own USB sticks or other portable media to transfer information. This can introduce malware into your environment.
Example Usage
Request
curl https://api.verygoodsecurity.com/requests?user-id=1Response
{
"data": [{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "tnt1.sandbox.verygoodproxy.com",
"actionType": "CREATED",
"createdAt": "2020-01-13T13:21:14.978939"
"aliases": [{
"alias": "4e185065-62c0-45ab-8fda-8b15e45786e7",
"createdAt": "2020-01-13T13:21:14.978939"
}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
},
{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "mailchimp.com",
"actionType": "RETRIEVED",
"createdAt": "2020-01-21T10:55:20.123832"
"aliases": [{
"alias": "4e185065-62c0-45ab-8fda-8b15e45786e7",
"createdAt": "2020-01-13T13:21:14.978939"
}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
},
{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "stripe.com",
"actionType": "RETRIEVED",
"createdAt": "2020-01-25T22:10:23.253575"
"aliases": [{
"alias": "4e185065-62c0-45ab-8fda-8b15e45786e7",
"createdAt": "2020-01-13T13:21:14.978939"
}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
}]
}Requirements
- Consumers have the right to opt-out of having their data sold
- Business must make it easy for consumers to do so, by for example, including a link to opt out in customer communications.
- Businesses must wait 12 months after a consumer opts out before requesting that the consumer authorizes selling their data
Tools
- Button on the home page prominently displayed to opt-out of selling. Button must be labeled “Do Not Sell My Personal Information.” This is required and the label must be as written.
- Track the data of opt out to determine when to re-request authorization
- Use opt-in consent rather than opt-out when asking for customer preferences
-
Extra precautions are required for children. If your
website targets children or you have reason to believe
that children are using the website, you must obtain:
- Opt-in from the child for children between 13 and 16
- Opt-in from the parent or guardian for children under 13
Operational Suggestions
- Work with your in-house legal counsel or contract with an attorney to ensure you have sufficient requirements in place for determining age
- If you sell customer data, create a process or technical control to ensure personal data of those who have opted out is not sold
Example Usage
Request
Routes.yaml:
data:
- attributes:
created_at: '2020-01-22T13:24:11'
destination_override_endpoint: '*'
entries:
- classifiers:
EXCLUDE: user-id=1
config:
condition: AND
...Requirements
- A business must delete the data collected about a consumer after they verify that the request is valid.
-
The business does not have to delete the data collected
if the business must maintain the information in order
to:
- Complete the transaction for which the data was collected
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible
- Debug to identify and repair errors that impair existing functionality
- Exercise free speech, ensure the right of another consumer to exercise free speech
- Comply with the California Electronic Communications Privacy Act
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information
Tools
- Retention policy
- Data deletion policy
Operational Suggestions
- Have a process in place to inform service providers of the need to delete information
- Develop a process to verify and track consumer requests to delete data
Example Usage
Request
curl -X DELETE https://api.verygoodsecurity.com/requests?user-id=1Response
{
"data": [{
"user_id": "user-id-1",
"tenantIdentifier": "tnt1",
"hostName": "tnt1.sandbox.verygoodproxy.com",
"actionType": "DELETED",
"createdAt": "2020-01-13T13:21:14.978939",
"aliases": [{}],
"tags": [{
"tag": "email",
"createdAt": "2020-01-13T13:21:14.978939"
}]
}]
}Requirements
-
The CCPA requires reasonable security measure be in
place. What is reasonable is not spelled out in the law
but in the past the California Attorney General’s office
has endorsed various security measures in prior contexts
- The previous California AG referred to the Center
for Internet Security Critical Security Controls
as reasonable. The 20 controls are:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Security configuration for hardware and software on mobile devices, laptops, workstations, and servers
- Maintenance, monitoring, and analysis of audit logs
- Email and Web browser protections
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capabilities
- Secure configuration for network devices, such as firewalls, routers, and switches
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless access control
- Account monitoring and control
- Implement a security awareness and training program
- Application software security
- Incident response and management
- Penetration testing and red team exercises
- The previous California AG referred to the Center
for Internet Security Critical Security Controls
as reasonable. The 20 controls are:
Tools
- Security tools including but not limited to federated access control, data loss prevention, audit logs, and firewalls
- AWS security tools
- Cybersecurity Framework and Capability Maturity Model
Operational Suggestions
- Ensure your organization has a robust security review process for installing out of the box applications or secure software development process for in-house development
- Select a cybersecurity framework, such as the Top 20, NIST 800-53, ISO27001, HITECH. Measure your current maturity and set maturity targets for each control.
How it works