Perhaps you missed it or maybe you didn’t pay attention because you thought it doesn’t apply to you, but a new, wide-reaching privacy law goes into effect this year.
This one hails from California and is called the California Consumer Privacy Act (CCPA). In case you were intimidated by the GDPR (the European Union’s far-reaching privacy law that went in to effect in May 2018), you can relax a little, because the CCPA is considered the GDPR’s “little cousin.”
Just don’t relax too much.
Similar to the GDPR, the CCPA limits businesses in their handling of consumer personal information, including its collection and sale. The CCPA also provides consumers with specific rights regarding their personal information.
If your business has annual gross revenues in excess of $25 million, if it handles the personal information of 50,000 or more consumers, or if 50% of its annual revenue is derived from the sale of personal information, and if it also does business in California, then the CCPA likely applies in some way to your business. The new law does not require that your business be physically located in California. Instead, your business may be considered “doing business” in California simply if it has employees who reside in California (or consider California “home”), if it conducts online transactions with California consumers or if it has other connections to California. While there are certain exceptions applicable to businesses that are regulated under other statutory schemes (such as the Health Insurance Portability and Accountability Act of 1996), the CCPA appears to be purposefully expansive to include most businesses meeting these requirements that collect information pertaining to California consumers.
If the CCPA indeed applies to your business, it needs to comply with the broad range of rights provided to California consumers. In addition to general security safeguards, the CCPA requires your business to provide specific notices to California consumers – including notice of the type of information your business is collecting about them and the purpose for which you are collecting it. It also requires your business to grant these consumers the right to request and access their collected information and requires your business, in most instances, to delete their information upon request. The CCPA also requires your business to provide these consumers the ability to “opt out” of the sale of their personal information and may require your business to include specific “do not sell” links on its website. Also, the CCPA prohibits your business from treating California consumers who exercise these rights under the CCPA differently from those who have not.
While the fines are not as steep as those imposed by the GDPR, the stakes still are high. If the CCPA applies to your business but it fails to comply, your business can be subject to penalties of up to $7,500 per violation. These penalties could get steep when you consider that a violation is often widespread and the fines would be multiplied for each individual, each mishandled record or each consumer request. In addition to enforcement by the California attorney general, the CCPA also provides individual California consumers a private right of action against the offending business, which invites costly class action lawsuits.
If the CCPA applies to your business there are several things you should start doing immediately to increase your business’ ability to comply and to avoid the costly price of noncompliance. For starters, if you haven’t done it recently, have your policies and notices, including your website privacy notices, reviewed for compliance. Also, if your business utilizes the services of third party providers who have access to consumer personal information you provide them, you should revisit your service agreements and determine if these agreements provide for appropriate handling of the information in compliance with the CCPA. You should also ensure that your written incident security program can demonstrate compliance with the CCPA, including its general security safeguard requirements. While certain aspects of the CCPA went in to effect as of January 1, the good news is that most of its implementation goes in to effect July 1.
For more information about the CCPA or assistance determining if or how the CCPA applies to your business, please contact me or any member of the Barley Snyder Cybersecurity Service Team.