What is CCPA and how does it affect your business?

What is CCPA and how does it affect your business?

Being home to Silicon Valley, it’s no surprise that the state of California would come up with its own data privacy regulations. Called the California Consumer Privacy Act of 2018 (CCPA), this new law will give Californians certain rights regarding their personal data. Once CCPA takes effect on January 1st, 2020, California residents will have the right to:

  • Learn what information companies are gathering about you, and for what purpose
  • Access such information, and to have it erased
  • Know if their personal info is disclosed to other parties, and, if so, to know who those
    parties are
  • Know if their personal info is for sale, and, if it is being sold, to opt out of such sales
  • Receive equal price and service regardless of whether or not they invoke their privacy rights

While it is seen as a lighter version of the EU’s General Data Protection Regulation (GDPR), CCPA is rather stringent by U.S. standards. As a business manager, here’s what you need to know about the new law:

Coverage

  1. It covers all businesses that operate in California, not just those that hail from that state
  2. It is meant to affect these business classes:
    1. Data brokers – firms that either trade more than 50,000 records per year or make most of their revenue by selling personal information
    2. Companies with more than US$25 million in gross revenues annually, i.e., medium to large businesses

Collection of information

  1. Firms that are subject to CCPA must update their privacy policies to include the privacy rights granted to customers under CCPA
  2. Businesses must ask customers if they are below 16 years of age. If they are, companies must first ask for permission to gather information about them. Opt-in for children under 13 must be given by their parent or legal guardian.

Sale of personal information

  1. If a business obtains a person’s information, that business may not sell that information until that person is first notified and informed of their right to opt out first.
  2. Companies affected by CCPA must include a link in their homepage and privacy policy page that brings customers to an opt-out page. This opt-out page must be accessible without having to sign up for anything.

Penalties

  1. Firms that fail to uphold the privacy rights granted by CCPA can face a fine of $2,500 per violation. If the law is kept intact (i.e., if it isn’t amended), a violation will be counted per person per incident.
  2. Willful violations of CCPA, such as the sale of personal data without prior disclosure, can be fined up to $7,500 per violation.
  3. If a company suffers a data breach, be it at the hands of cyberthieves or by employees who accidentally or intentionally release such info, consumers can file a class action lawsuit and sue that company for either an amount between $100 and $750 per data record or actual damages, whichever is greater.

Though there is a chance that the law is amended or watered down prior to January 1, 2020, companies would be wise to adopt measures for complying with CCPA in its current form. Additionally, this landmark law can become the basis for privacy rights laws in other states or even the entire country. This means that even if your business does not operate in California, you would do well to keep yourself abreast of the latest legal developments nonetheless.

As the legal landscape shifts in California and the rest of the country, it is easy to fall into a labyrinth of compliance regulations. Turn to Prosum to help you navigate this challenging landscape. Our experts have the experience and foresight needed to always remain on top of your compliance requirements.