With the start of a new year and new decade, there’s also the start of new legislation. The biggest new piece of legislation currently is the California Consumer Protection Act (CCPA), which came into effect on January 1, 2020. It brings with it promises from major companies, including Microsoft, that the privacy this creates for Californians will be given to all Americans. In return, if the opportunity is used well, complying with the CCPA will give companies a head start on additional legislation that will be coming soon to the rest of the country.
Many companies may feel that this law does not apply to them if they are not based in California. But with California having the world’s 5th largest economy, ahead of even the UK, France, and India, the CCPA has greater reach than many may realize.
Exactly Who Does The CCPA Affect?
Companies do not have to be based or have a physical presence in California —nor even the United States— to fall under the CCPA. Answer these questions to find out if your company must be CCPA compliant:
- Is your company a for-profit entity that collects or uses personal data from California residents?
- Does your company have a gross annual revenue of $25 million or more?
- Does your company buy or sell personal information from 50,000 or more consumers/households?
- Does your company earn more than half of its annual revenue from selling consumers’ personal information?
If you answered yes to the first question and any or all of the remaining questions, you must comply with the CCPA. Even if your company shares common branding with a company that is covered by the CCPA, your company must also comply —“common branding includes a shared name, servicemark, or trademark.”
When in doubt, find out if you will have to be compliant. There are some exceptions but, with how the fines are set up, it’s better to find out then to be intentionally unaware.
What Does The CCPA Do?
For consumers in California, the CCPA provides them with a number of rights. Those rights include knowing what of their personal data is being collected; whether that data is being sold or disclosed and to whom; being able to not allow the sale of their personal data; access to their data; requiring businesses to delete their personal information upon request; and protection from discrimination should they exercise their privacy rights.
For companies that must comply with the CCPA, it requires issues of Notice, Disclosure, Delivery of Personal Information, the Right to Be Forgotten, and Non-Discrimination.
What Are The Penalties for Failure to Comply?
Compliance with privacy regulations, like the GDPR, brought stronger company security and greater resistance to breaches and hackers. But there are definitely additional reasons to comply with mandatory regulations — financial ones. CCPA compliance is backed up by a set of stiff penalties.
In the event of a data loss or breach, companies must pay damages from between $100-$750 per resident and incident, or actual damages — whichever is determined to be larger. Additionally, there is a fine levied up to $7500 for each intentional violation or $2500 for unintentional violations. To be clear, that is per record.
GDPR Compliance ≠ CCPA Compliance
As nice as it might be, compliance to one does not create compliance to the other. Check out this great chart summarizing the similarities and differences between the GDPR and the CCPA.
How Does a Company Comply?
According to the lawyers at JDSupra, in order to comply with the CCPA, immediately take these five steps:
- Find out what personal information the business collects.
- Learn how personal information is being processed, who it is transmitted or accessible to, and how it is stored.
- Draft all the required notices and disclosures.
- Build a process for responding to consumer requests, including how to fully delete personal data.
- Review and amend contracts with third party service providers to ensure the business can meet CCPA requirements
Other Legislation to Know
With the CCPA going into effect and the GDPR handing out increasingly larger fines — and more small ones as well— this will not be the last piece of privacy legislation. Keep an eye on developments with:
- New York’s Privacy Act
- Massachusetts’s pending “An Act Relative to Consumer Privacy”
- California’s next privacy law, the California Privacy Rights Act (CPRA), being voted on this year will build on the CCPA
- Children’s Online Privacy Protection Act (CHOPRA) — aimed at children under the age of 13
- The New York State Department of Financial Services Cybersecurity Regulations (23 NYCRR 500) — aimed at how financial institutions handle and safeguard consumer data
- The Fair Credit Reporting Act (FCRA)
- The Family Educational Rights and Privacy Act (FERPA)
- The Health Information Portability and Accountability Act (HIPAA)
The past two years have quickly ushered in significant changes to privacy legislation and laws around the use and protection of personal data. 2020 will only see more of the same. Companies need to be aware of both current and pending legislation, as well as see how embracing these changes and challenges will only help to secure their company, reputation, and financial security. The future will be bringing swift changes. The better a company knows how it manages, retains, and protects the data it holds, the faster it will be able to meet new expectations and the stronger it will be.
Keeping up on regulations and mantaining compliance is important for every organization. If you have any questions about the latest regulations, whether you need to be compliant, or how to best get your organization compliant, contact us at firstname.lastname@example.org or 1-877-810-7898. We are here to help your organization be stronger and more secure — find out how we can help today.