CCPA is coming, whether your business is ready or not.

California Consumer Privacy Act, or CCPA, is one of the most far-reaching consumer data privacy laws in the country.  The California Legislature passed the law in 2018 in response to a series of high-profile data breaches, as well as an overall increase in global cyber security threats.

Part of a new wave of consumer privacy legislation at home and abroad, the CCPA law introduces sweeping changes to the world of data privacy protection.

“It’s a changing landscape,” says Don Thompson, co-founder and CEO of Capital Network Solutions.  “California is definitely at the forefront of it.”

The law radically changes the ways that for-profit businesses must deal with their data.  But is your business ready?

When does CCPA take effect?

CCPA took effect on Jun. 28, 2018, the day that outgoing California Gov. Jerry Brown signed it into law.  However, the data privacy and breach notification requirements do not go into effect until Jan. 1, 2020.

Regulations will get finalized in the first half of 2020.  The California Attorney General can’t enforce any actions under the law until Jul. 1, 2020, at the earliest.

Does the CCPA apply to my business?

That depends.  Right now, the CCPA only applies to for-profit businesses that meet ALL THREE of the following conditions:

  • The company does business in California.
  • They collect consumers’ personal information, either directly or through a third party.
  • They determine the purpose and means of processing that personal information.

Even if a business meets all three of these conditions, they must still meet ONE OF THE FOLLOWING THREE thresholds:

  • They have annual gross revenues above $25 million.
  • They annually transact for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
  • 50 percent or more of their annual revenues get derived from selling personal information.

If my business does not meet the above conditions, are we in the clear?

CCPA compliance requires education and training

Not necessarily.  If you deal with any vendors that process personal information, you may need to include new contractual terms in your agreements.

Also important to remember: even though CCPA only applies to large businesses now, it is likely the tip of the iceberg.

“My take on it is this is the first step, and there will be multiple steps going forward, and that threshold will drop,” Thompson says.

How does the CCPA apply to out-of-state businesses?

CCPA compliance applies to any business that collects personal data on California State residents.  This application holds even if the company does not operate a location in California.

However, we should note that the CCPA does not apply to nonprofit organizations.  It also does not apply to California state and local government entities.

What new consumer rights does CCPA create?

Thanks to CCPA, California residents now have several new rights.  They have the right to know what information gets collected about them, who collects it, why it gets collected and where it gets shared.

Consumers can prevent companies from selling or sharing their data.  They can even ask for the data to get deleted altogether.

CCPA also makes it easier for victims of a data breach to sue the responsible company.

Does CCPA only apply to consumer data?

No.  CCPA applies to employee data as well as consumer data, and it penalizes both breaches on the same level.

“A lot of people think they don’t have information on their customers, but they probably do on their employees,” Thompson says.

What does CCPA define as “personal information”?

The CCPA creates a broad-ranging definition of “personal information” that applies to a wide variety of industries.  According to the law, “personal information” includes everything from names, addresses and driver’s license numbers to purchase records, Internet search histories and employment data.

What are the penalties for non-compliance with CCPA?

If a business is found to violate CCPA rules, the California Attorney General may impose civil penalties if the problem does not get remedied within 30 days.  The monetary penalties range between $2,500 and $7,500 per violation.

Additionally, California residents whose rights get violated under the terms of the CCPA can sue for civil damages.  The penalty ranges between $100 to $750 per user, per incident.  That doesn’t sound like a lot, but a data breach involving thousands of users can add up quick.

Courts will determine the exact amount of statutory damages.  They will base their determinations on the seriousness, volume and frequency of the violations, among other factors.

Computer network diagram

Is the CCPA set in stone?

Not at all.  CCPA remains a work in progress.  As mentioned above, final regulations are still about a year away.  Also, the California State Legislature continues to debate amendments to the law, including a recent proposal to dismantle the 30-day grace period mentioned above.

Are most companies that do business in CA ready for CCPA?

No, despite the broad scope and harsh penalties of the law.  A survey conducted by Compliance Week and Trust Art found that most businesses impacted by CCPA are still in the “early stages of their readiness plans.”

Furthermore, nearly one-third of those companies expect to spend more than $100,000 on CCPA-related compliance expenses in the next year.  Meanwhile, only 20 percent of those businesses expected to pay nothing.

How do you compare CCPA vs. GDPR?

The European Union adopted the General Data Protection Regulation (GDPR) in 2016.  It became enforceable starting on May 25, 2018.

Like CCPA, GDPR established new requirements for companies that process personal data.  There are numerous similarities between the two laws, as well as some key differences.

For example, GDPR does not contain the minimum revenue requirements of CCPA, so the scope of the EU law is considered much broader.  However, GDPR does not give consumers the specific opt-out right offered by CCPA.

Of course, GDPR and CCPA are just the beginning.  Earlier this year, Massachusetts made amendments to strengthen the state’s data breach notification laws significantly.  Meanwhile, CCPA-like legislation is getting debated in Washington, New Jersey and Texas, among many other states.

What should I do prepare for January 1, 2020?

If your business is going to be affected by CCPA, the first thing you need to do is map out all the personal information that you collect.  Start by asking these questions:

  • What personal data do you collect?
  • What do you do with it?
  • From where do you collect it?
  • Where and how is it stored, and for how long?
  • With who do you share it?

You should also start to collect, review and revise all your third-party agreements.

Does my business need cyber liability insurance?

CCPA requires cybersecurity

Many business owners believe that their existing liability insurance covers the costs of a data breach, but that is probably not the case.  “Cyber liability insurance is going to become a bigger and bigger issue,” Thompson says.  “They can’t make you get it, but they can sure fine you if you don’t.”

Cyber insurance policies usually cover data breach costs related to legal fees, business downtime, customer notification, public relations, forensic investigations and more.

It might not be right for companies that don’t store personal data, but businesses that handle sensitive information should evaluate their options.

How can I protect my business against a cyber attack in the first place?

You can help protect your business data by strengthening your IT defenses.  A comprehensive cyber security plan consists of strong safeguards on the perimeter and interior of your system, with a shield that extends offsite.

  • PERIMETER DEFENSES – firewall, antivirus software, SPAM filter, intrusion detection, penetration testing

  • INTERIOR DEFENSES – cyber security awareness training, data backups, password protocols, vulnerability testing

  • OFFSITE DEFENSES – multifactor authentication, mobile device management, cloud storage

If you are still concerned about your network security, call Capital Network Solutions at (916) 366-6566.  We can discuss your cyber security risks and come up with a plan to protect your business.