California passed its California Consumer Privacy Act (CCPA) on June 28, 2018, and it goes into effect tomorrow, Jan. 1, 2020. It's a law that protects the privacy rights of consumers within the state, but because the internet is everywhere, this law will transform the web forever. Similar to Europe's General Data Protection Regulation (GDPR), the CCPA will affect many businesses who collect personal information from those in California. The law allows Californians, known for being litigious, to sue businesses if their personal information is compromised in a data breach.
It will go into effect on Jan. 1, 2020, but most businesses don't know how this will affect them. A recent survey by ESET polled 625 business owners and executives to gauge the business readiness for this regulation. Nearly half (44.2%) had never heard of CCPA. Only 11.8% know if the law applies to them, and 34% are unsure if they need to change how they capture, store and process data.
It's worth noting that 2018 was the second-most active year for data breaches, according to Risk Based Security. There were 6,500 reported breaches, including some 5 billion records, ranging from mega-breaches of companies such as Facebook to much smaller ones.
Here's everything you need to know about the act, and what you can do to prepare as a small business owner.
What is the California Consumer Privacy Act?
Matt Dumiak, director of privacy services at CompliancePoint, and Greg Sparrow, senior vice president and general manager of CompliancePoint, said that the CCPA is a bill that will require businesses to implement new policies and procedures to ensure the protection of personal information. This includes privacy policies, security protections and facilitation of consumer rights.
However, businesses are not required to honor all consumer requests. Each should be analyzed to ensure the business is only honoring those applicable, they said.
According to the CCPA website, the act protects the following consumer rights:
- Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
- Right to refuse the sale of their information
- Right to request deletion of their data
- Mandated right to opt in before the sale of information of children under 16
- Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
- Enforcement by the attorney general of the state of California
- Private right of action should breach occur, to ensure companies keep their information safe
Dumiak and Sparrow said that businesses have 45 days to respond to consumer requests; and any damages that occur due to a breach are limited to $750 per consumer per incident.
The CCPA, before it was in amendment with Assembly Bill 375, originally had more stringent regulations that might have nearly paralyzed the tech industry, which has thrived in California's Silicon Valley. But Dumiak and Sparrow noted that the official CCPA allows businesses a 30-day window to amend any violations, so long as they can prove they have been amended and that no more will occur. Otherwise, violators might face penalties of up to $7,500 per intentional violation.
How does it affect SMBs, and what can they do to prepare?
Dumiak and Sparrow noted that the bill will apply to "any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information." This includes businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located.
The average annual revenue for a small business is less than $25 million. In fact, for businesses with between 20 and 99 employees, the average revenue is $7,124,000 million, according to QuickBooks. While the qualifications to be affected by this bill might exclude many small businesses, it doesn't mean you shouldn't prepare.
"The CCPA provides small businesses with incentive and motivation to start thinking about the personal data processed and protected within their business environment," said Dumiak. "Most organizations feel resource-constrained, and small businesses are no different, if not more so."
"California's law will raise the bar significantly, and this won't be the last time it's raised as states seek to emulate the EU's new GDPR," added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law. "This measure is likely to increase litigation as more consumer rights are created and expanded."
But the lack of awareness could lead to a lack of compliance, which could expose businesses to significant financial penalties.
"It's clear that businesses are confused about this upcoming regulation; they do not know whether they are subject to the law and what they need to do to become compliant," said Tony Anscombe, global security evangelist at ESET. "The penalties will be severe, and the financial harm could be grave to these firms. Businesses should particularly focus on the 'reasonable security' aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization."
While California is just one state, its regulations are spreading awareness and encouraging like-minded individuals to speak up and take action. Businesses should expect similar laws to be passed across the country in the next few years. In fact, Nevada passed an amendment to its online privacy law, requiring businesses to offer consumers a right to opt out of the sale of their personal information. It took effect on Oct. 1, 2019. It is highly unlikely to be the last such bill to go into effect.
"Congress will feel pressure from both pro-privacy advocates to endorse the rights created by California, and businesses to try to bring uniformity to what is increasingly a dynamically evolving policy area," said Cattanach. "The bottom line is that this leverages on the concepts contained in GDPR and is certain to be picked up as the standard by other states."
The CCPA will go into effect in January of 2020, so small businesses have a little time to prepare. But not a lot. To do so, Dumiak said, they should review certain areas of business:
- Information security posture
- Personal data processing
- Honoring of access requests
- Other applicable rights or requirements
"Further, the fines and privacy right of action, while having an impact on any organization, will arguably be a larger percentage of their revenue and more impactful on business operations and revenue," said Dumiak. "While many see regulation as a headache, this regulation is a terrific opportunity for organizations, small and large, to get much-needed resource help in the security and business operations space."
If your small business hasn't already hired a data processing consultant to make sure your company is compliant with GDPR, now may be the time to investigate such a professional. You may want to look for someone who is certified by the International Association of Privacy Professionals (IAPP). It is the largest and most comprehensive global information privacy community, with some 40,000 members.
Even if you are already compliant, it's worthwhile to keep an eye on California regulations, as there are two bills currently under consideration that would expand CCPA. And there are nine bills being considered that would narrow the scope of CCPA.