Reports of data breaches in the news have become so common, it seems we hardly notice anymore. Just in the first few months of 2019, there have been over 50 high profile data breaches in the United States alone.
Some of these breaches struck major companies such as Facebook, Dunkin’ Donuts, and Dow Jones, but it’s also hit schools (Georgia Tech), video game companies (Fortnite), and government agencies (FEMA).
In order to force businesses to take stronger control of their security, the European Union has established the General Data Protection Regulation (GDPR) which is causing major changes to the way companies handle data in Europe. Now, California has established the first major law of this type in the United States, the California Consumer Privacy Act (CCPA) of 2018.
What is the CCPA?
CCPA passed in 2018, but does not go into effect until January 1, 2020, allowing companies time to comply with the new regulations. It places certain obligations on any company doing business in California. (For the purposes of this law, government agencies and non-profit groups are exempted.)
Just as with the GDPR, the law can apply to businesses that are physically located outside of California, but that do business with California residents, such as an e-commerce website that sells items to a resident of California and ships it there. CCPA will impose penalties on companies that fail to comply, up to $7,500 per offense. CCPA covers five basic tenets:
- California residents have the right to know what personal information is collected about them by different companies;
- California residents must have access to the personal information collected;
- California residents have the right to know if their personal information is shared with other entities or companies and, if so, who those are;
- California residents have the right to know if their personal information is sold by the collecting company and, if so, they have the right to opt out of such sale;
- California residents have the right to equal service and price regardless of if they exercise their privacy rights. (In other words, the company cannot charge the customer more or deny them services if they opt out of the sale of their data.)
Perhaps the most important portion of CCPA is that customers will have the ability to seek legal recourse against companies that do not properly comply with this law and protect their digital privacy. Again, a fine of $7,500 can be imposed for each offense. If a company is in non-compliance with 1,000 customers, they could be hit with a $7.5 million fine.
What businesses will be impacted by CCPA?
For the purposes of the law, a business must meet one the following qualifications to be subject to the CCPA:
- Annual gross revenues of $25 million or more.
- Handles the data of more than 50,000 people (or devices).
- Makes at least 50% of its gross revenue from the selling of personal data.
If a company is partially owned by a corporation that meets these requirements, they’re also required to be in compliance.
The CCPA is set to be a game-changer when it comes to the manner in which businesses operate in California. If you’re already in compliance with the European Union’s GDPR, then you’re probably in compliance (or very nearly so) with the CCPA. However, steps must be taken to ensure full compliance before the law takes effect next year.