What We Do
How We Do
Get Started

What You Need to Know about the California Consumer Privacy Act

BY eSentire

January 23, 2020 | 3 MINS READ

Regulatory Compliance

Want to learn more on how to achieve Cyber Resilience?


Originally posted in Best Manufacturing Practices January 16, 2020

On the heels of the European Union’s General Data Protection Regulation (GDPR) and the revelation that Facebook and other social media platforms were selling their data, consumers began to demand stronger data privacy protection. However, the U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. When data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

The CCPA’s quick passage was widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation, which went into effect Jan. 1, grants consumers new rights with respect to the collection of their personal information. The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. In 2019, more than 20 states considered data privacy legislation. California will be an acid test to watch as the legislation takes effect.

Due to its focus on consumer privacy, the CCPA mandates full disclosure from companies regarding the collection of personal information — everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

Under CCPA, California citizens have the right to opt out of having their data/ information sold. Users and customers must be notified from the get-go about their information. They have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights but to expose the economic value of consumer data.

The “right to be deleted” is another CCPA assurance for consumers, akin to GDPR’s right to be forgotten. Companies aren’t allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates.

The Logistics of CCPA Compliance

Every department must understand CCPA’s requirements, so manufacturers need to set up some training if they haven’t already. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. And for many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

As a real-world example, consider that the marketing department most likely stores sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA requires documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

This data is valuable to your company, and that means it is also valuable to others. One of the major aspects of CCPA is that companies must declare the value of the data they are collecting — so if a company plans to sell that data, it must declare its resale value.

Manufacturers must also justify why they possess customer data and to fully map where the information goes, including across their supply chain.

Manufacturers are also responsible for keeping this data safe, which couldchange how vendors are chosen. Organizations will need to analyze the risks that are associated with that vendor by conducting due diligence and then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Yes, such laws require new processes and sometimes new people, but it doesn’t herald the death of manufacturers with California customers. Instead, companies can use this mandate to re-examine their partners, supply chain and data collection and storage purposes and methods. This, in turn, has the knock-on effect of stronger data security and greater consumer confidence.


eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire