The California Consumer Privacy Act (CCPA) will take effect in California starting on January 1, 2020 in order to strengthen the protection of individuals’ personal information data in the face of a rapidly-evolving technological landscape and increased interconnectivity between organizations.
Here’s a breakdown of what to expect from the CCPA, and how Okta can help organizations along their CCPA journeys.
What is the CCPA?
The California Consumer Privacy Act is a comprehensive piece of privacy legislation that will require companies to take certain steps to protect the personal information of Californians. Specifically, it focuses on data security obligations, rights for individuals, and increased transparency and accountability for companies regarding the collection, storage, use, or transfer of personal information about California consumers.
Critically, under the CCPA, California defines “personal information” broadly, so that the law generally covers any information relating to an identified or identifiable individual.
Who does the CCPA apply to?
The CCPA applies to any organization (regardless of where it is located) that processes the personal information of California consumers and satisfies at least one of the following criteria:
- Has annual gross revenues in excess of twenty-five million dollars.
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What rights are owed to customers under the CCPA?
Depending on their internal processes and procedures, some businesses may have to take steps to adjust their operations to reflect the CCPA’s legal requirements. The rights they must make available to consumers include:
- The right to know about personal information being collected, disclosed, or sold.
- The right to request the deletion of personal information.
- The right to opt-out of the sale of personal information.
- The right to non-discrimination for the exercise of CCPA privacy rights.
- Consumers may designate an authorized agent to make a request under the CCPA on their behalf.
- The right to know if service providers offer any financial incentives tied to the collection, sale, or deletion of consumer personal information.
What types of details do organizations need to disclose to consumers under the CCPA?
The CCPA also requires companies to disclose specific details to consumers, including:
- A description of the new rights available to consumers.
- Categories of personal information collected in the last 12 months and the business or commercial purposes for collecting that data.
- Categories of data sources used in data collection.
- Categories of third parties with whom businesses “share” personal information.
- Categories of third parties to whom businesses “sell” personal information.
- Categories of third parties to whom businesses “disclose for a business purpose” personal information.
- Specific pieces of personal information collected about a consumer.
- A link to an opt-out page.
When does the CCPA take effect?
The CCPA becomes operative on January 1, 2020. Although the California Attorney General will not bring enforcement actions until July 1, 2020, businesses may be subject to private right of action under the law beginning on January 1, 2020.
How can Okta support my CCPA journey?
While Okta is not a silver bullet for CCPA compliance, we are committed to our customers’ success—including facilitating their CCPA compliance efforts.
Do Okta’s customers need to opt-out of data sharing with Okta?
No. Customers are permitted to share personal information with service providers like Okta, even when a consumer has opted-out of data sharing. We are updating our contracts to reflect this.
Security through Okta
The CCPA requires companies to implement “reasonable security” measures to keep their personal information secure. Okta helps them meet this reasonable security standard through a wide range of security tools.
For example, Okta customers can monitor access and implement controls amongst their employees to establish a least-privilege access framework. Admins can set strong password and multi-factor authentication (MFA) requirements, check for reused passwords, set up security notifications, and more.
Okta provides a one-stop-shop for customers to manage user identities that can be configured to meet organizational security needs.
Get more information
Still have questions? Check out the resources below or contact us to see how we can support your organization.