4 minute read
CCPA: California Enforces New Privacy Laws Impacting all Businesses Collecting Data
In recent years, the security of consumer data has been under significant
scrutiny by all types of security organizations and governmental bodies
around the world. Endless amounts of personal data are gathered by
businesses daily. The European Union took the first step toward changing
the data security landscape by implementing the General Data Protection
Regulation (GDPR). The GDPR framework established new standards on data
protection and privacy for all citizens of the European Union countries. 1 It
didn’t take long for California to follow suit with the California Consumer Privacy Act (CCPA).
CALIFORNIA CONSUMER PRIVACY ACT
California is home to approximately 40 million residents and has one of
the largest economies in the world, with a gross domestic product of
approximately $3 trillion. By enacting the CCPA, effective January 1, 2020,
California became the first state to establish a statewide consumer privacy
law. The CCPA is a comprehensive framework to protect California residents
(consumers). Before the CCPA, consumers had minimal control over their
personal information. Under the CCPA, consumers now have the right to: 2
1. Know what personal information is collected, used, shared, or sold, both as to the categories and specific pieces of personal information; 2. Delete or move personal information held by businesses and by extension, a business’s service provider; 3. Opt-out of the sale of personal information; minors under the age of 16 must provide opt-in consent, and a parent or guardian must consent for minors under the age of 13; 4. Non-discrimination in terms of price or service when a consumer exercises privacy rights under the CCPA; and 5. Hold businesses accountable for failing to take reasonable precautions to protect consumer personal information.
Compliance includes implementing processes for consumer data management and maintaining reasonable security controls. One of the major hurdles organizations face with the CCPA framework is implementing processes relating to consumer data management, including separating data collected based on the consumers’ privacy choices, providing consumers with two or more methods for submitting data requests, and delivering the requested information to the consumer within 45 days. The other major hurdle organizations face is maintaining reasonable security controls. Implementing and maintaining security controls are considered best practices in all industries and can be a monumental project for organizations of all sizes.
All businesses, even those located outside of California, are required
to comply with the CCPA if they meet specific business criteria and
collect personal information from any California resident. Businesses
that meet one of the following criteria will be subject to CCPA: 2
1. Has gross annual revenue in excess of $25 million 2. Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices 3. Derives 50% or more of annual revenue from selling or sharing consumers’ personal information.
The State of California Department of Justice will assess violations ($7,500 per intentional violation and $2,500 per unintentional violation, data breaches of up to $750 per consumer incident) for non-compliance with the CCPA beginning July 1, 2020, and violations will result in significant consequences. Businesses are held accountable for any breach of Consumer privacy rights, and the penalties are higher when the violation affects children. In addition to monetary penalties, businesses that fail to protect Consumer personal information reasonably could suffer brand damages.
COMPLIANCE GUIDANCE
The assessment, development, and implementation of processes to comply with the CCPA can be a daunting task. So, where do companies begin? KROST’s cybersecurity experts have developed a dedicated CCPA framework and cybersecurity risk assessment to take out the guesswork. This process helps the business to meet the standard that it has implemented good faith efforts to comply with CCPA. Additionally, it includes a thorough review of privacy policies and internal controls to ensure compliance, complete with a checklist of requirements that need to be addressed by July 2020. Have questions about CCPA? We’re here to help. Contact us today.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither KROST or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and KROST, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
1 https://gdpr.eu/what-is-gdpr/
2 https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf
CONTACT STEVE
