CCPA Compliance Checklist – Is your business ready?

CCPA Compliance Checklist – Is your business ready?

Learn more

With the world moving towards digitization, organizations have a customer base from all around the globe. More consumers mean more data to handle and higher threat of data breach. Protecting consumer’s personal data is one of the biggest challenges for businesses. Taking into account the increasing trend of data breaches and unauthorized access to user data for target marketing is driving the attention of regulatory authorities.

Previously, General Data Protection Regulation (GDPR) came into effect in May 2018 to ensure that how websites and organizations are allowed to collect, handle and process personal data of consumers, it can be anything from names, addresses, browser history to financial data and many more. 

California Consumer Privacy Act (CCPA)

GDPR compliance has paved the way for new consumer privacy initiatives known as California Consumers Privacy Act (CCPA) which came into effect on January 1, 2020. While GDPR is more of a “privacy by default” and “valid consent from consumers” legal framework for the entire EU, CCPA is about “creating transparency” and giving rights to its consumers in California’s huge data economy. 

According to AB 375 of CCPA, every California consumer is given a right to see all the personal information that a company or organization has saved on them. Moreover, it allows consumers to demand a full list of all third parties with whom data is shared. In case if the companies violate the privacy guidelines, consumers have the right to sue them, irrespective of a data breach.

This definition is clearly broader and complex than GDPR as it lists a wide range of standard examples. For instance, social security number (SSN), purchase histories, browser histories, drivers’ license numbers, and other “unique personal identifiers” like geolocation & device identifiers and online tracking technologies. However, it excludes the publicly available information such as tax data from the central registry or government records.

What does CCPA means for business?

The CCPA already effective from January 1, 2020, has a significant impact on the corporate privacy policies across technology, media and entertainment, and telecommunications (TMT) industries. Many brands across the United States largely avoided GDPR. Despite, the emerging privacy concerns among consumers and global regulations are core drivers around data privacy mobilization across TMT industries.

The CCPA compliance is obligatory for all the businesses and companies dealing with California residents and possessing at least $25 million in annual revenue. Additionally, the businesses that cater to personal data of at least 50,000 people, regardless of their size, also fall under obliged entities. To be obliged by CCPA, companies don’t have to have a physical existence in California, in fact, they don’t even have to be in the United States.

CCPA is considered one of the strictest privacy laws in the United States. It forearms California residents to monitor and control how businesses process their personal data. It means now the organizations have to pay homage to the requests from consumers to access, delete and even opt-out of sharing or selling their personal information. Taking into account such CCPA-specific requirements, organizations and businesses need to update their privacy programs and stop selling data on consumer’s requests.

Last year in April, an amendment was made in the law that exempts “insurance institutions, agents, and support organizations” since they are already subjected to another similar regulation under California’s Insurance Information and Privacy Protection Act (IIPPA). Moreover, it also excludes medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Risks associated with third-party services

CCPA compliance holds a very significant challenge for businesses because of the involvement of third-party policies. Being the obliged entities, working with third parties is crucial for organizations. They are held responsible for whatever those third parties do with their data. 

Under CCPA, the organizations that collect or process the personal data of consumers are liable to keep the data private and protected under any circumstances any number of third parties such as service providers or external vendors performing marketing, verification, or billing, etc., potentially gathers the organization’s data.

Businesses need to consider a comprehensive audit to determine which third-parties are collecting, processing or storing consumer’s data on their behalf. Upon identifying, the organizations need to make amendments in policies and contracts to achieve CCPA compliance.

CCPA Compliance Checklist

With the introduction of CCPA, the increased disclosures have become a fundamental part of businesses subject to new compliance. The organizations need to develop detailed privacy notices to present consumers when their data is collected. Moreover, they need to publically disclose the consumer’s right under CGPA. 

Here’s a CCPA compliance checklist that defines a roadmap for companies to meet the CCPA requirements.

  • Know if CCPA applies to your business

The most important thing the businesses need to do for being compliant with CCPA is to first determine if they lie under obliged entities or not. CCPA law has mentioned certain criteria for an organization to be obliged by the law and some exemptions.

CCPA Compliance Checklist

  • Review Personal information collection

To be compliant with CCPA, it is essential to figure out what personal information your organization/business is collecting from the consumer. The collection of the data is in fact, the fundamental of CCPA. Many times, the organizations are not fully aware of the type of data they are collecting from a user. For instance, the IP address of the consumer, which also falls under the definition of CCPA personal information.

  • Map data relationships

According to the California Consumer Privacy Act, the customer has the right to know what data is collected and for what purpose. To successfully meet this demand, companies need to develop data maps that clearly show the scope of personal information being collected, processed and stored. Moreover, it is mandatory to describe how the data is used internally and whether it’s sold or shared with third parties, if so then for which purpose.

  • Review policies for handling information

CCPA law intends to improve the way organizations handle consumers’ personal information. This requirement is driving organizations to review their existing policies and procedures first. For instance, what procedure would they follow if a customer requests to delete his data?

Let’s say the company follows the parallel topology of storing data which means other than server the data is stored in the systems as well. It means deleting data from the server isn’t going to be enough, the procedure has to be revised.

  • Update organization’s privacy policy

Updating the company’s privacy policies is a mandatory part of CCPA. These policies are for customers to describe in detail what data the organization is collecting and its purpose of collection. As per CCPA, the policies must include the following three things

  1. Consumer rights – describing what control a customer has over his collected information
  2. What is collected – describing what personal information is collected from the consumer side.
  3. How information is used – informing the customers that how the collected information will be shared i.e. for business purposes or selling to external vendors.

These three points must be described in detail in the company’s privacy policy.

  • Prepare for consumers’ opt-out and deletion requests

With CCPA allowing customers to go for opt-out and deletion requests, they are definitely going to use their right. To accommodate such requests, organizations have to be prepared. Dealing with consumers’ requests manually is not effective. Setting up an automated system to facilitate companies with delete and opt-out requests is the need of the hour. 

For this, it is recommended to come up with a procedure for consumers by which they can request a copy of their data and data deletion.

  • Review third-party contracts and conduct audits

California Consumer Privacy Act puts a bigger responsibility on the organizations to keep track of the third-party collection of consumers’ personal data. In case of any violation, the company is held liable. Therefore, to avoid such situations in the future, companies need to revise their contract with third-party companies and service providers using customers’ personal information. 

Just reviewing contracts isn’t enough, but the organizations need to conduct regular audits for the service providers having access to the data to know if there’s any loophole or threat.

  • Review security protocols and implement data encryption policies

Data privacy is the base of CCPA law and it means protecting consumers’ data by every means including data breaches. That’s why reviewing security protocols and implementing data encryption is equally essential for the companies to be compliant with CCPA laws.

  • Employee training regarding CCPA

Employee training regarding new company policies, data handling, and privacy laws is the core responsibility of an organization. Employees must receive in-depth training on every part of the California Consumer Privacy Act especially the ones that are directly applicable to their job roles. 

The violation of the CCPA law can have stiff penalties and fines, therefore, companies need to be vigilant in developing new policies and procedures to comply with regulations.

Find more relevant resources:

CCPA Compliance Checklist

Initial CCPA Compliance Costs Could Hit $55 Billion: Report

Initial CCPA Compliance Costs Could Hit $55 Billion: Report

Learn more

According to an economic impact assessment prepared for the state attorney general’s office by an independent research firm, California’s new privacy law could cost companies a total of $55 billion to get in compliance. Total CCPA compliance costs are likely to vary considerably based on the type of company, the maturity of the businesses’ current privacy compliance system, the number of California consumers they provide goods and services to, and how personal information is currently used in the business.

CCPA provides sweeping privacy protection to California’s residents. It includes a provision that will allow consumers to know what data companies are collecting on them. The bill grants rights to California residents to be informed about how companies collect and use their data, and allows them to request their personal data be deleted, among other protections. It represents the start of a new era of privacy laws designed to protect personal data, says Kelsey Finch of the Future of Privacy Forum. CCPA’s section gives consumers the right to delete personal information from the company’s database. 

CCPA Affecting Businesses :

CCPA will affect three types of businesses based in California:

  • Companies that have gross revenue of at least $25 million.
  • Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices.
  • Companies that get 50 percent or more of their annual revenue from selling consumers’ personal information.

By estimates, companies with less than 20 employees have to pay $50,000 for compliance. Large companies having more than 500 employees will have to pay an average amount of $42 million. This will make up for 1.8% of California Gross State Product. According to a report, total compliance costs for the companies subject to the law could range from $467 million to more than $16 billion over the next decade.  Researchers estimated that as many as 75% of California businesses earning less than $25 million in revenue would be impacted by the legislation. States have begun to take efforts for privacy legislation. Facebook CEO Mark Zuckerberg advocated for creating a nationwide policy in this regard. Cost and complications will be lessened by setting one legal standard for tech firms than a piecemeal approach to compliance. 

Since many businesses in California that operate in Europe had to make changes to comply with the GDPR which went into effect last year, CCPA has taken some elements from GDPR. The research suggests that the compliance costs for California’s law will be reduced this way. The EU estimated average incremental compliance costs for the GDPR would total about 5,700 Euros a year (nearly $6,300), according to the report, though there is also evident that the regulation lost productivity in sectors that rely heavily on data. Smaller firms are likely to take on a disproportionately larger share of compliance costs compared to larger firms with GDPR.

CCPA- An Inherit Part of GDPR:

Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs. Resources explain this dichotomy as large technology companies are often several steps ahead of both competitors and regulators. In the long term, however, it is believed that the differential impact will likely shrink, driven in part by competition among third-party services that will help small businesses comply with the legislation. 

Economic Impact on Companies:

Companies are going to face an economic impact due to CCPA. As smaller companies with less than 20 employees are expected to spend about $50,000 in initial CCPA compliance costs, while mid-sized firms with between 20 and 100 employees could incur costs of $100,000 to start, according to the study.

The expenses come at a time when companies are reaping big rewards from the buying and selling of personal consumer data. The use of personal data in online advertising is a $12 billion annual business in California. When combined with the buying and selling of information from data brokers, the number rises to $20 billion annually.

California businesses could spend an additional $16 billion over the next decade after initial compliance expenses to keep up with changes and other expenses, according to the report. Those expenses could include hefty fines for those who violate the law.

A recent report from the International Association of Privacy Professionals found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.

Meanwhile, some other state legislators are using California law as a model. In Nevada, for instance, a new privacy law went into effect on Oct. 1. That law, known as Senate Bill 220, will give consumers more ways to keep websites from selling personal data.

 Businesses that need to comply with CCPA:

Following are some businesses that have huge private data that needs to be protected by CCPA:


  • E-Commerce:


Online businesses have a huge private date of which they are taking advantage. The user surfing through the internet is analyzed by AI-based products and products of their interest are shown to get him attracted. This means that user data is being used to get more sales of their desired products by advertising it. So CCPA will enhance the privacy policies of businesses across the globe. The so-called rights over consumer data will be exploited by CCPA.


  • AI-based Verification Services:


As the regulations regarding KYC and AML are becoming more stringent businesses are adopting identity verification services for their customers and for other businesses. For this, they have huge data of clients that they have to verify. Identity verification service providers have the most confidential data on hand, hence they must follow the provisions of the California Consumer Privacy Act.


  • Social media:


Social media plays a vital role in their shopping decisions. Its a platform to target audience of interest. According to a study, 87% of shoppers are satisfied with the shopping experience through social media. There are many social media marketing tools that are employed to get to the audience of interest and to improve the sales of a particular product. Businesses are aware of these tools and deploying them well. The use of these marketing products employe available information on social media platforms. Social media sites have to change their practices of selling the personal information of users to third parties. The consent of the user must be required for selling this data to a third party business.

So, businesses need to comply with CCPA for the protection of private data of consumers. Since many California businesses had to comply with Europe’s General Data Protection Regulation last year, some of the compliance costs for the new state law will likely be reduced, according to the report’s authors. Many businesses need to comply with CCPA to mitigate the risk of a data breach. The law will go into effect on Jan. 1, 2020.

GDPR Phishing Scams – A Novel Trap to Scoop up Information

GDPR Phishing Scams – A Novel Trap to Scoop up Information

Learn more

General Data Protection Regulation (GDPR), an EU regulation comes into force on 25 May 2018 and aims to provide users with more control over their online data. 

It is ironic that the aim of GDPR is violated by the scammers in an unexpected way i.e. GDPR phishing scams. 

What are GDPR phishing scams?

To comply with the GDPR requirements, organizations send emails to customers to ask permission to use or retain their data. If customers give their consent, organizations keep those customers on the mailing lists. It was streamlined before the cybercriminal opportunists emerged. They take advantage of the deluge of GDPR emails and arrive in the inboxes of naive customers. Flood of messages is sent from the websites where customers have registered themselves previously and are supposed to resend a consent via email. From there web scraped emails, the personal details are stolen and used in malevolent activities. Criminals trick consumers through such phishing emails and grab credit card details, passwords, and personal information. 

EU GDPR regulation is applicable to all EU residents. They are supposed to strictly follow the GDPR requirements, therefore the emails are sent by the companies far and wide. Scammers use these emails to fool the customers. A large number of phishing scams have surfaced in the past few months. The regulation whose purpose is to secure the data of online users has turned turtle and became the trick to violate privacy. 

Apple Phishing Scam

Phishers impersonate reputable companies and familiar brands because there are higher chances that the recipients will respond to the emails from such email addresses or they would definitely have registered at such websites. Apple is one of those famous brands. 

The attackers sent GDPR phishing emails to users and asked to log in to a fake Apple site. These emails appear as if they belong to a legitimate Apple website and fool the victims by saying, ‘due to unusual circumstances, their account has been limited and need to update the credit card credentials’. At the end of the email, a link is given and when a click stroke is done, it is redirected to a website that seems a real website but is actually a phishing attack. Once the user enters the account credentials, the Apple account is taken over by the attacker where they find all the possible personal and financial information of the user. At the time victims report against the website, the fake website was offline which gets hard to track. 

Airbnb Phishing Scam

The GDPR email phishing scams are predominantly targeting the email addresses of well-known companies. Airbnb has also been subjected to these attacks. After the GDPR compliance requirements, Airbnb started sending legitimate emails to its customers to comply with the policies. Fraudsters took advantage of these emails and send phishing emails to Airbnb users. It seems that email is from a customer support office of Airbnb but these are actually the fraudulent messages whose aim is to steal the customer data for illegal purposes. These sophisticated emails had different URLs, grammar mistakes, spelling mistakes, threatening language and request to update the credentials. After such phishing incidents, Airbnb asked its customer community to verify these emails if they look suspicious.

These two main scams have come onto the surface which explicitly delineates the email malware which is fooling the customers of trusted brands. More such cases can also appear in the future that can directly or indirectly affect the lives of people and organizational reputations. Therefore, such brazen attempts and ransomware attacks should be curbed by logging into the official websites to verify request emails.

Recommended for you:


Looking for Online Fraud Prevention: Here Is What You Can Do

Looking for Online Fraud Prevention: Here Is What You Can Do

Learn more

In an increasingly digital world, it is extremely important for online businesses to identify fraudulent activities happening in their system. In an online marketplace, a large number of transactions take place every second. Among those, 67% of fraudulent transactions remain undetected which results in heavy loss. According to the end 2018 record, online fraud has reached a loss of $6.4 billion. Fraudsters are always in search of the vulnerabilities in the system, they exploit the entry points and perform malicious activities. Online businesses if on the side focus on the better user experience in customer onboarding, on the other hand, they lack the security measures need for Online Fraud Prevention. It is a crucial need for banks, financial institutions, and online marketplace to reduce the risks of online payment scams and introduce high-level security in their system.
xOnline frauds are of different types. The purpose and intention behind each fraud could be the same only the way is different. Some common types are:
Identity Theft: Cybercriminals attack the system to get the personal information of the people and use them maliciously be assuming it to be someone else’ identity.
Credit Card Fraud: Fraudsters make a purchase into the weak website, enter all the essential information and fool the system using the credit card they have stolen.
Email Phishing Fraud: The fraudster sends an email to the victim (could be a bank employee) which appears to be an official email from some financial authority. This email contains the link which redirects the other person onto a login page of the bank appearing to be exactly the same as their official website. Once the employee enters all login credentials, the scammer gets all the personal information and uses the account for malicious activities.

Industries Affected by Online Fraud

63% of industries have experienced fraudulent online losses. With industrial digital transformation in both front-end and back-end operations, there is a need to take high-security measures against online fraud prevention. 75% of online businesses want a secure online system. For this to achieve, online businesses require solutions that enable trust within and out of the organization. Some of the major industries who faced online fraud are:

Online Retail Industry

In 2019, e-commerce sales are expected to account for 13.7% of retail sales worldwide. E-commerce sales are estimated to be increased by more than 240% which is $4.48 trillion by 2021. If on one side, this massive amount shows the demand for e-commerce on the other side, there is a record of 6% online frauds in the retail industry. The transactions happening in bulk are the great opportunities for the fraudsters to enter into the system. In the retail industry, the highest fraud is inventory fraud and due to a fake credit card. It is necessary for the online retail industry to secure its system in order to prevent online fraud.

Gambling Industry

Today, the gambling industry is generating a huge revenue which was $44 billion in 2016 and is expected to be $81 billion by 2022. The gambling industry is a very tempting platform for money launderers and cybercriminals. A recent report shows an $82 billion loss in the gambling industry due to Card Not Present (CNP) attacks. Also, 3.5% of all online payments that take place are fraudulent. The gambling industry needs to implement AML and KYC based checks back in their system to prevent cyberattacks and money laundering activities.

Healthcare Industry

The healthcare industry holds sensitive information regarding patients and hospitals. This information needs to be stored in a secured database in order to prevent data loss due to Online Fraud Prevention. In 2018, a report shows a $2 billion loss due to online fraudulent activities. This loss merely is not only associated o the bill healthcare industry paid but also the lives of several people were affected. The data of patients which includes insurance details, medical history, and personal information is stolen. Fraudsters use it to do money laundering, track their insurance details and blackmail them. For the healthcare industry, it is important to secure their data with significant security measures in order to prevent their system and patients from the heavy risks.

Online Fraud Protection

Online businesses should adopt serious security measures to mitigate the risks of online fraud. For this, identity verification and authentication are compulsory. Each identity entering into the system should be verified under certain AML and KYC regulatory compliances. The banking industry and financial institutions can prevent their system from cyberattacks using KYC compliance. This will reduce the risks of credit card fraud and online payment scams. Biometric verification (fingerprints, iris scanning, facial recognition, etc.) can help in customer verification. There are multiple other ways to verify and authenticate users. Below is a chart that shows the percentage of verification methods adopted by multiple online industries:
Online Fraud detection and prevention methods businesses

Regulation Governing online Fraud Prevention


General Data Protection Regulation (GDPR) is the EU’s most vital regulation for privacy protection. GDPR presents certain rules regarding how the data of people should be gathered, used, manage and protect. For any online business that holds any sensitive information are obligated towards the regulations defined in GDPR.


BaFin is the financial regulatory authority for Germany. On the basis of European supervisory standards, BaFin takes risk-oriented security approaches that are appropriate for industries and online businesses. It ensures reliability in the financial market and introduce policies accordingly.


PSD2 in the EU forms regulations that support forms of payment institutions, introduce interaction methods and facilitate open banking. Under these regulations, online businesses map their systems and provide their customers with several services.


EU’s regulation that defines policies for trust services and electronic verification of customers. These services help in the identification and verification of individuals online and through electronic documents. Banks and financial institutions can implement ceratin functionalities based on the regulation of eIDAS in order to prevent online payment fraud.


For any online business, along with better user experience, the implementation of security measures is equally important. The cost businesses pay with vulnerable systems not only affect the economy but also result in inevitable damage to business reputation. Adoption of secure technological solutions can lessen the risks of heavy fines and business fall. Also, this helps to fulfill the previous loss by encountering them in the future.

GDPR versus Identity Verification – Are you Ready?

GDPR versus Identity Verification – Are you Ready?

Learn more

If you are an organisation that is based in the EU or are doing business with companies in the EU where you have either direct or indirect access to some sort of personal information of EU citizens then this is important for you. The GDPR or General Data Protection Regulation is about to be implemented in a couple of months. It is literally a game changer on the way companies will manage the personal information of individuals. This is even more sensitive a matter for companies that require identity verification and heavily rely on digital KYC such as banks, e-commerce sites and the likes. As heavy fines and strict action awaits businesses that will not comply with these regulations therefore it is important that corporates get updated regarding the GDPR in order to become compliant. In this article we will cover the crux of the new EU data protection act and its impact on organisations that rely on online identity confirmation. We will also discuss about solutions to make life easy for these companies.

What do the Regulations Cover?

The first question that should come to mind is — so what do these regulations cover? The answer is that it covers the protection of user data in almost every possible way. For a business to be GDPR compliant they must not only make sure that an individual’s data is secure, but follows up on the way it is handled. It must allow the customer, or user, access to monitor, control, view and if they want, delete any or all information about them if they wish to.

In order to achieve its goals of protecting user’s data, GDPR encourages that companies make the information such that it cannot be traced back to the user or that it be    stored in a manner such that it is not placed together but separately and if required can be put together again; this is to ensure user privacy. The third option it promotes is that the data be coded so that it cannot be read unless you have the key to the code i.e.  data encryption. Some organisations might require getting specialised personnel to manage and secure the data, known as DPO (Data protection officer), these are certified data handling and protection experts.

Even with all the strictness, there are certain exceptions where companies can collect and process data without specific consent. These include data related to cyber security, employee data, national security, etc.

The crux of GDPR is that the protection of user data must be done with specific, concise and transparent processes and communication protocols.Basically, the user has the right to know what will be done with the information, where it will be stored and for how long, etc. Also, all data that is gathered must be with the clear consent of the user. The companies handling the information also need to have certain protocols in place in case there is a leak in the personal data i.e. it needs to inform proper authorities within 72 hours and the end user right away.

Identity Verification is Important Too

Given that most online businesses are unable to physically see their customers and online users, there will always be the requirement for identity verification. It is something that is essential now more than ever as more and more organisations and businesses are providing services and goods utilising the power of the Internet. This is not only to save cost, but also to provide convenience to the end consumer. The problem that arises is that since no physical presence of an individual is present / required, certain miscreants take advantage of this situation and carry out identity thefts and scams to cause financial loss to Users and corporations. For this, companies heavily rely on digital KYC (Know Your Customer) services and processes to confirm identity and consequently minimise fraud. This is extremely essential for Banks and financial institutions that provide online financial services such as opening an account, making payments and transfers, to paying taxes and mortgages. Since online services are here to stay and as the general population turns to the Internet for their ever increasing needs, knowing who’s who is becoming imperative.

What GDPR Means for Online Identity Verification?

The question that most businesses that use digital KYC processes are asking is — what will be its impact on KYC services and its providers? The new data protection act understands the importance of identity and the protection of it, hence it is not that it will be stopped. On the contrary, companies that require such confirmation will need to make sure that they secure the information that they get and at the same time make its use clear, easy-to-understand and transparent for the individual. So if a company is using such a service to make sure that they have been provided the credit card number of the right person; they need to make sure that once they have gathered the data and confirmed the identity they should tell the customer what they will do with it. Will the data be deleted or kept? If kept, for how long and what measures have been taken to safeguard it. All this needs to be done with the clear consent of the individual in concern and the user should have the right to delete his data if they wish to.

What about Third-party Verifiers?

Most e-commerce businesses as well as banks, financial services and goods’ providers use third party identity verification services. The fact that the process is outsourced does not exempt the company from being GDPR compliant. In fact, not only the company outsourcing the process but also the company handling the digital KYC will be required to be compliant with the new act. Even if the company is located outside the EU; if it is handling the personal information of EU citizens they need to ensure compliance. Given the extravagant fines and strict actions it is essential for organisations to make sure that they outsource verification(s) to reliable and GDPR compliant companies. That have the expertise to handle and protect the data without incident. Also they should have in place processes and protocols to handle breaches and to inform and act in accordance with GDPR regulations if one was to occur.

In Conclusion

The GDPR is a reality that is going to be implemented and the sooner companies and organisations get compliant the better it will be for them. To say that time is short would be an understatement the regulation is to go into full effect near end of May 2018. The best possible bet would be for companies to either get third party help similar to the businesses they use for their online identity verification services, or they can opt for specialists such as DPOs who can help align the company according to the new act.

Recommended For You: