California Consumer Protection Act
We will explore the key compliance requirements of the CCPA and what actions businesses need to take from both a data privacy and cybersecurity standpoint.
What is CCPA?
Officially called AB-375, the CCPA is designed to afford residents of California with more power over the collection and use of their private data, such as financial information, social security and passport numbers, household information, online identifiers and email addresses, and more.
A key premise of the law is that, as of January 1, 2020, Californians will have the right to know what personal data is being collected about them and why, the methods used to collect that data, and if that information is sold or disclosed to a third-party.
Once stored by a business, consumers must also be able to access their personal data and request that a business delete any personal information collected.
Complying with CCPA is not Optional
Non-compliant companies can be fined $7,500 per data record that violates the dat privacy requirements of the law!
Does my business really need to comply with CCPA if we don't deliver services directly to customers in California?
Organizations are required to comply if they meet any of the following criteria:
- They are a for-profit entity that does business in California (even if they don’t have a physical presence) and collects the personal information of more than 50,000 or more consumers, households, or devices
- They have gross revenues over $25 million
- They derive 50% of their annual revenue from selling the personal information of consumers
What does CCPA mean to Your Cybersecurity?
While the CCPA is more specifically concerned with consumer privacy rights, the GDPR more broadly covers how businesses should approach data security, management, and portability.
The CCPA puts consumer data privacy front and center – giving consent to data collection, allowing consumers to know where their data is stored, when it’s accessed by third parties, and more. The flipside of that coin – data protection and security – is where the California law falls short on specifics.
Consumers have the right to …
- Know all data collected by a business on you, twice a year, free of charge.
- Right to say NO to the sale of your information.
- Information Security: Right to sue companies who collected your data, where that data was stolen or disclosed pursuant to an unauthorized data breach, if the company was careless or negligent about how it protected your data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it). Identity Theft needs to be curbed!
- Right to DELETE data you have posted.
- Right not to be discriminated against if you tell a company not to sell your personal information.
- Right to be informed of what categories of data will be collected about you prior to its collection/at point of collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
Enforcement is via a private right of action (consumer lawsuits) for data breaches, with the rest of the act subject to enforcement by the California Attorney General, at up to $2,500 per violation.