Although the California Consumer Privacy Act (CCPA) technically applies only to the Golden State, California residents shop online with out-of-state businesses. As such, if your business collects personal information from people in California, you must comply with the CCPA no matter your location. However, if you’ve already taken steps to comply with Europe’s General Data Protection Regulation (GDPR), you likely already meet many of the CCPA’s requirements. Here’s what you should know about the CCPA and business compliance.
The California Consumer Privacy Act (CCPA) is a California state law that protects the following California consumer rights:
Consumers can sue businesses for CCPA noncompliance only in the event of a data breach. In all other cases, the California Attorney General’s office handles legal action around CCPA noncompliance.
Businesses have 45 days to respond to consumer requests, though this time frame is just 15 days for opt-out requests. Any damages that occur due to a qualifying data breach are limited to $750 per consumer per incident.
The CCPA, before it was in amendment with Assembly Bill 375, originally had more stringent regulations that might have nearly paralyzed the tech industry, which has thrived in California’s Silicon Valley. But the official CCPA allows businesses a 30-day window to amend any violations as long as they can prove they have been amended and that no more will occur. Otherwise, violators might face a penalty of up to $7,500 per intentional violation.
All businesses with gross annual revenue in excess of $25 million must comply with the CCPA. So too must all businesses that earn at least 50 percent of their revenue from the sale of California residents’ data. A third qualifying class of businesses exists: any that buy, sell or share data obtained from at least 100,000 California residents, devices or households. These criteria apply to all businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located. Businesses inside California are as affected as out-of-state entities.
The University of Berkeley’s Center for Long-Term Cybersecurity has pointed to the following CCPA business impacts as the most important:
The Berkeley report recommends the pursuit of newer regulatory frameworks to close any gaps in the CCPA and similar laws. Expect future data protection laws to gradually start looking different from the CCPA.
While the CCPA technically might not cover your business, this doesn’t mean you shouldn’t prepare.
“The CCPA provides small businesses with incentive and motivation to [think] about the personal data processed and protected within their business environment,” said Matt Dumiak, director of privacy services at CompliancePoint. “Most organizations feel resource-constrained, and small businesses are no different, if not more so.”
“California’s law [raises] the bar significantly, and this won’t be the last time it’s raised as states seek to emulate the GDPR,” added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law. “This [law] is likely to increase litigation as more consumer rights are created and expanded.”
The lack of awareness could lead to a lack of compliance, which could expose businesses to significant financial penalties.
“It’s clear that businesses are confused about this regulation; they do not know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, chief security evangelist at ESET. “Businesses should particularly focus on the ‘reasonable security’ aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization.”
While California is just one state, its regulations are spreading awareness and encouraging like-minded individuals to speak up and take action. Businesses should expect similar laws to be passed across the country in the next few years. In fact, Nevada, Colorado, and Virginia have all passed similar laws.
“Congress will feel pressure from both pro-privacy advocates to endorse the rights created by California, and businesses to try to bring uniformity to what is increasingly a dynamically evolving policy area,” said Cattanach. “The bottom line is that this leverages on the concepts contained in GDPR and is certain to be picked up as the standard by other states.”
Hawaii, Indiana, Kentucky, Montana, New Hampshire, Oklahoma and Vermont have advanced their own consumer privacy acts. Although it remains to be seen whether these proposed bills will become law, more such legislation is expected in the years to come.
Dumiak recommended reviewing the following business areas for CCPA compliance:
“Further, the fines and privacy right of action, while having an impact on any organization, will arguably be a larger percentage of their revenue and more impactful on business operations and revenue,” said Dumiak. “While many see regulation as a headache, this regulation is a terrific opportunity for organizations, small and large, to get much-needed resource help in the security and business operations space.”
If your small business hasn’t already hired a data processing consultant to make sure your company is compliant with GDPR, now may be the time to investigate such a professional. You may want to look for someone who is certified by the International Association of Privacy Professionals (IAPP). It is the largest and most comprehensive global information privacy community, with 40,000 members.
The CCPA covers any business, in any location, that processes California consumer data. Other states’ data laws, which are almost certain to be passed into law in the coming months and years, will be similarly expansive. This means it’s always a good time for your business to devote resources to data best practices. With a qualified consultant in your realm, you can check all the required boxes while focusing on business proper. This way, you stay in good graces with the law – and your customers too.