CCPA is here, whether your business is ready or not.
California Consumer Privacy Act, or CCPA, is one of the most far-reaching consumer data privacy laws in the country. The California Legislature passed the law in 2018 in response to a series of high-profile data breaches, as well as an overall increase in global cyber security threats.
Part of a new wave of consumer privacy legislation at home and abroad, the CCPA law introduces sweeping changes to the world of data privacy protection.
“It’s a changing landscape,” says Don Thompson, co-founder and CEO of Capital Network Solutions. “California is definitely at the forefront of it.”
The law radically changes the ways that for-profit businesses must deal with their data. California became the first state to pass a data breach notification law in 2003, and CCPA takes those consumer protections even further. But is your business ready for CCPA?
When does CCPA take effect?
CCPA technically took effect on June 28, 2018, the day that outgoing California Gov. Jerry Brown signed it into law. However, the data privacy and breach notification requirements did not go into effect until Jan. 1, 2020.
Regulations will get finalized in the first half of 2020. The California Attorney General can’t enforce any actions under the law until July 1, 2020, at the earliest.
On Oct. 10, Becerra introduced a 24-page framework of CCPA draft rules. The draft included new rules for collecting the information of minors, and it offered additional details on opt-out provisions. Becerra’s office will hold public input hearings on the draft regulations over the next two months.
Did the CCPA get amended?
Yes, although the changes were not as business-friendly as consumer advocates initially feared. On Oct. 13, Gov. Gavin Newsom signed seven CCPA amendments into law, most of them clarifying or industry-specific.
Assembly Bill 1202, for example, requires data broker registration. Meanwhile, Assembly Bill 25 exempts the personal information of employees and applicants for one year. And Assembly Bill 1146 exempts information related to vehicle warranties and recalls.
Does the CCPA apply to my business?
That depends. Right now, the CCPA only applies to for-profit businesses that meet ALL THREE of the following conditions:
- The company does business in California.
- They collect consumers’ personal information, either directly or through a third party.
- They determine the purpose and means of processing that personal information.
Even if a business meets all three of these conditions, they must still meet ONE OF THE FOLLOWING THREE thresholds:
- They have annual gross revenues above $25 million.
- They annually transact for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
- At least 50% of their annual revenues get derived from selling personal information.
If my business does not meet the above conditions, are we in the clear?
Not necessarily. If you deal with any vendors that process personal information, you may need to include new contractual terms in your agreements.
Also, even though CCPA only applies to large businesses now, it is likely the tip of the iceberg.
“My take on it is this is the first step, and there will be multiple steps going forward, and that threshold will drop,” Thompson says.
How does the CCPA apply to out-of-state businesses?
CCPA compliance applies to any business that collects personal data on California State residents. This application holds even if the company does not operate a location in California.
However, we should note that the CCPA does not apply to nonprofit organizations. It also does not apply to California state and local government entities.
What new consumer rights does CCPA create?
Thanks to CCPA, California residents now have several new rights. They have the right to know what information gets collected about them, who collects it, why it gets collected and where it gets shared.
Consumers can prevent companies from selling or sharing their data. They can even ask for the data to get deleted altogether.
CCPA also makes it easier for victims of a data breach to sue the responsible company.
Does CCPA only apply to consumer data?
No. CCPA applies to employee data as well as consumer data, and it penalizes both breaches on the same level.
“A lot of people think they don’t have information on their customers, but they probably do on their employees,” Thompson says.
What does CCPA define as “personal information”?
The CCPA creates a broad-ranging definition of “personal information” that applies to a wide variety of industries. According to the law, “personal information” includes everything from names, addresses and driver’s license numbers to purchase records, Internet search histories and employment data.
What are the penalties for non-compliance with CCPA?
If a business is found to violate CCPA rules, the California Attorney General may impose civil penalties if the problem does not get remedied within 30 days. The monetary penalties range between $2,500 and $7,500 per violation.
Additionally, California residents whose rights get violated under the terms of the CCPA can sue for civil damages. The penalty ranges between $100 to $750 per user, per incident. That doesn’t sound like a lot, but a data breach involving thousands of users can add up quick.
Courts will determine the exact amount of statutory damages. They will base their determinations on the seriousness, volume and frequency of the violations, among other factors.
In early February, plaintiff Bernadette Barnes filed the first lawsuit to cite CCPA in U.S. District Court. Barnes filed suit against Salesforce.com Inc. and children’s apparel company Hanna Andersson for their roles in a malware-related data breach.
How do you compare CCPA vs. GDPR?
The European Union adopted the General Data Protection Regulation (GDPR) in 2016. It became enforceable starting on May 25, 2018.
Like CCPA, GDPR established new requirements for companies that process personal data. There are numerous similarities between the two laws, as well as some key differences.
For example, GDPR does not contain the minimum revenue requirements of CCPA, so the scope of the EU law is considered much broader. However, GDPR does not give consumers the specific opt-out right offered by CCPA.
It should be noted, though, that in the first year of GDPR, the European Data Protection Board recorded:
- 65,000 data breach notifications
- 206,326 data breach complaints
- $63 million in imposed fines
Of course, GDPR and CCPA are just the beginning. After the passage of CCPA, several more states expanded or strengthened their consumer data protection laws, including New York with the SHIELD Act. In October, New York Attorney General Letitia James filed breach-related litigation against Dunkin’ Donuts for purportedly mishandling a 2015 cyberattack.
What should I do to prepare for CCPA enforcement?
If your business is going to be affected by CCPA, the first thing you need to do is map out all the personal information that you collect. Start by asking these questions:
- What personal data do you collect?
- What do you do with it?
- From where do you collect it?
- Where and how is it stored, and for how long?
- With who do you share it?
You should also start to collect, review and revise all your third-party agreements.
What about the new data privacy ballot proposal?
San Francisco developer Alastair Mactaggart gets a lot of credit for pressuring California legislators to pass CCPA. He backed a 2018 ballot measure with even stricter data privacy regulations, but he withdrew it when CCPA passed.
However, tech companies and other industries lobbied hard to undermine the new law before it could get implemented.
Mactaggart recently announced he is backing a 2020 ballot measure aimed at safeguarding CCPA. The ballot measure would create a new state agency tasked with enforcing “privacy provisions.”
Many business owners believe that their existing liability insurance covers the costs of a data breach, but that is probably not the case. “Cyber liability insurance is going to become a bigger and bigger issue,” Thompson says. “They can’t make you get it, but they can sure fine you if you don’t.”
Cyber insurance policies usually cover data breach costs related to legal fees, business downtime, customer notification, public relations, forensic investigations and more.
It might not be right for companies that don’t store personal data, but businesses that handle sensitive information should evaluate their options.
How can I protect my business against a cyberattack in the first place?
You can help protect your business data by strengthening your IT defenses. A comprehensive cyber security plan consists of strong safeguards on the perimeter and interior of your system, with a shield that extends offsite.
PERIMETER DEFENSES – firewall, anti-virus software, spam filter, intrusion detection, penetration testing
INTERIOR DEFENSES – cyber security awareness training, data backups, password protocols, vulnerability testing
OFFSITE DEFENSES – multi-factor authentication, mobile device management, cloud storage
If you are still concerned about your network security, Capital Network Solutions can help. To better combat contemporary cyber threats, CNS now offers a full suite of security and compliance solutions. We provide dark web scans, security awareness training, device and email encryption and more.