What are the CCPA Password Requirements?

Although there are no specific CCPA password requirements in California´s Consumer Privacy Act, businesses could be subject to significant regulatory and civil penalties for failing to have reasonable cybersecurity measures in place in the event of a data breach. 

California´s Consumer Privacy Act (CCPA) – and subsequent enhancements in the California Privacy Rights Act (CPRA) – stipulate how qualifying businesses are required to protect the privacy and personal information of Californian residents. The Acts apply to all businesses wherever they are located in the world, and to all Californian residents whether or not they are resident in California at the time data is collected, processed, or shared.

The Act stipulates businesses must inform consumers of their privacy rights before collecting data, and advise them what data are being collected, why data are being collected, how data are being used, and when data are being shared or sold. Consumers have the right to prevent the sale of their data, and also to request access to data maintained about them in order to inspect, modify, or request the deletion of data when necessary.

To avoid placing a significant administrative burden on small and mid-sized business, California only requires qualifying businesses to comply with CCPA and CPRA. In order to be covered by California´s data protection and privacy laws, a business must meet at least one of the following criteria:

  • The business has an annual revenue of more than $50 million in total (i.e., not just in California).
  • Receives, process, stores, sells, or shares the data of at least 100,000 Californian residents, devices, or households per year.
  • Obtains 50% or more of its annual revenue from the sale or sharing of personal information pertaining to Californian residents.

What CCPA Says about Data Protection

While the bulk of the Act focuses on consumers´ “right to know”, the sections relating to penalties for non-compliance with CCPA include a clause allowing consumers to institute a civil action if nonencrypted or nonredacted personal information is accessed, exfiltrated, stolen, or disclosed without authorization “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information”.

The fines for civil actions range from $100 to $750 per violation depending on the business´s degree of culpability. Courts can also award injunctive or declaratory relief – or “any relief the court deems proper” – depending on the nature and seriousness of the data breach, the length of time over which it occurred, and the business´s net worth. In addition, the Attorney General can issue fines of up to $7,500 per violation – the proceeds from which support further enforcement action.

In respect of penalties for non-compliance – and the recovery of injunctive or declaratory relief – it is important to note that CPRA removed the requirement for consumers or the Attorney General to prove that a data breach resulted in harm. Furthermore, courts have the authority to issue fines of up to three times the mandated amounts if a data breach results in the unauthorized disclosure of a minor´s personal information – whether or not any harm has come to the minor as a result.

How to Best Protect Personal Data

Despite the many billions of dollars spent on data security, over 80% of data hacks analyzed in the Verizon 2020 Data Breaches Investigations Report were attributable to brute force attacks against weak passwords or stolen log-in credentials. The report confirms previous studies that have found weak passwords responsible for a high percentage of ransomware attacks, while phishing for credentials is reported to have increased exponentially during the COVID-19 coronavirus pandemic.

To best protect personal data against brute force attacks on weak passwords and phishing, it is essential to install a password manager such as Bitwarden that alerts businesses to weak and reused passwords, and that warns users when they visit a spoofed website whose URL does not match the one for which a saved password exists. Bitwarden also supports multi-factor authentication to further protect personal data from unauthorized access, theft, or disclosure.

Password managers not only help businesses avoid penalties for breaches of California´s Consumer Privacy and Privacy Rights Acts, but also support compliance with other industry-specific privacy regulations (i.e., HIPAA) and international privacy regulations (i.e., GDPR). Therefore, although there are no specific CCPA password requirements, implementing a password manager can help your business better protect any type of confidential information against unauthorized access.