Preparing for the California Consumer Privacy Act with Box


Over a year ago, GDPR was enacted as Europe's most comprehensive privacy law and its impact was far-reaching. Now, the U.S. is preparing for one of its own landmark privacy acts, the California Consumer Privacy Act ("CCPA"), to go into effect.

CCPA was created to give California residents more control over their personal information (PI) and requires that businesses provide greater transparency on how they may collect, share or process such data. Given that CCPA is effective on January 1, 2020 and that businesses can be fined up to $7,500 per violation, it's critical for companies to understand the new law and ensure preparedness for the new requirements CCPA imposes. By providing one platform for secure content management, collaboration, and workflow, Box bridges the gap in CCPA readiness by making it easier to control where your data is stored and how it is accessed, along with the enablement of data minimization and enhanced security measures. 

CCPA applies to “for-profit companies” doing business in California that collect and process consumer data AND meet any of the following criteria: 

  •  Have an annual gross revenue over $25 million 
  •  Derive 50% or more of its annual revenue from the sale of consumer PI
  •  Buy, sell, or share the PI of more than 50,000 consumers, devices or households

At a high level, CCPA provides California consumers with 5 primary rights:

  • Right to know what PI a business collects and how it's used
  • Right to deletion
  • Right to opt-out of the sale of PI to third parties
  • Right of non-discrimination
  • Certain private rights of action against companies

If your company has already geared up for GDPR, then you've likely taken many (though not all) of the steps needed for CCPA. You can learn more about differences between GDPR and CCPA here. If you're interested in learning more about the CCPA, please visit the California Attorney General website here

We know that compliance can be a challenge and Box is here to help. Here is how Box can help along your journey to CCPA readiness:

1) Find and map consumer data to get ready to perform certain tasks like deletion with Box's core features. Using the native Content Manager tool in the Admin Console, customers can perform a global search of their content to find what documents contain an individual's PI and then delete as needed. By using Box as the central repository for content, customers can reduce the overall surface area of where sensitive content is stored and therefore, reduce security risks.

2) Make sure your company has implemented and is maintaining reasonable security procedures and practices. The CCPA penalizes a company when a consumer’s PI is subject to unauthorized access, theft, or disclosure. By maintaining strong security controls, you can help minimize such violations. Box has several native features and additional products that may help with your security practices:

  • With Box's Device Trust features, Admins can set minimum requirements for users to access content on Box and can perform certificate checks to ensure devices are corporate-approved. Device Trust helps ensure that customers' private information is not being accessed on insecure or personal devices, which could help customers manage where CCPA-relevant information is stored. Learn more about Box's Device Trust here.
  • With Box Shield, you can protect PI with robust prevention and threat detection capabilities. With Box Shield's Smart Access capabilities, customers can automatically label files and folders and then create access policies for those labels that adhere to defined security controls. For instance, folders containing customers' PI can be given a "download restriction" control to limit how that data is accessed and stored, thus reducing risks and protecting the flow of sensitive information. Box Shield's Threat Detection capabilities can further reduce risk by quickly detecting potential content-centric threats. Learn more about Box Shield here.

3) Reduce risk by retaining necessary information with Box Governance. While the CCPA allows for a right of erasure/deletion, this right does not supersede other regulatory requirements that mandate an organization’s retention. For example, organizations must keep financial records for 7 years and healthcare information for 10 years. Box Governance can help manage data retention requirements and can be leveraged to set retention periods for files/folders that must be kept for a certain length of time. Learn more about Box Governance here

Learn more about using Box for CCPA in our get CCPA-ready guide. Additionally, listen to one of our recent webinars on charting your journey to CCPA readiness where industry experts will walk you through the steps you can take to help prepare for CCPA.