Enforcement of the California Consumer Privacy Act (CCPA) began as scheduled on July 1. Any organization covered by the law could be fined up to $7,500 per data record for failure to comply. What’s more, the CCPA allows individual consumers to file lawsuits against businesses for data breaches if the state attorney general declines to prosecute the case.
You might think that a California privacy law wouldn’t apply to your business in Florida. Unfortunately, you might be wrong.
The CCPA applies to any for-profit business anywhere in the worldthat serves California residents and has at least $25 million in annual revenue. Businesses of any size that store personal data on at least 50,000 people or that earn more than half their revenue from the sale of personal data are also covered. A business that shares common branding with an entity covered by the CCPA will also be subject to compliance requirements.
Given the stakes, organizations that think they might be covered by the law should take steps to ensure compliance.
Under the CCPA, California residents have the right to know what data has been collected, to access that data and to have that data deleted. They also have the right to know whether their information is sold or disclosed and to whom, and to opt out of having their data sold to third parties. The CCPA’s definition of personal information goes beyond the traditional data elements covered by most data breach notification laws to include biometric information, Internet activity and more.
To minimize the risk of unauthorized data theft of disclosure, covered businesses are required to implement and maintain “reasonable security procedures and practices.” If a data breach occurs, each affected consumer can recover up to $750 or actual damages, whichever is greater. The data breach rules do not apply to data that is encrypted or that has been redacted or aggregated and cannot be linked to an individual consumer or household.
The CCPA is less stringent then the European Union General Data Protection Regulation (GDPR), which requires that data collection and storage have a legal basis and mandates data governance best practices. However, organizations that have already undergone efforts to comply with the GDPR are well on their way to CCPA compliance.
If you haven’t yet addressed CCPA requirements, there are some basic steps you can take to get started:
- Identify the types of consumer information you collect and how that data is maintained
- Develop processes for tracking data that is shared with or sold to third parties
- Establish procedures for responding to and tracking consumer requests
- Assess your cybersecurity controls against applicable legal requirements and industry standards
- Upgrade your cybersecurity tools and processes as needed to close gaps
- Implement an incident response plan and develop processes for keeping it up to date
This is by no means an exhaustive list, nor is it a substitute for consulting your legal counsel regarding compliance requirements. Keep in mind, also, that other states are considering more stringent privacy laws. It may make good business sense to develop an overarching data privacy program in anticipation of those rules.
Verteks can assist you with some aspects of your compliance program, including security assessments and upgrades. Let us help you meet CCPA requirements and avoid potentially devastating fines, lawsuits and reputational damage.