The California Consumer Privacy Act (CCPA), modeled in part on GDPR and passed in June 2018, is scheduled to come into effect in January 2020. Although some provisions are still being negotiated, it seems clear at this point that the CCPA will protect the personal data of people within a defined geographic area (in this case California) even when that data is being used by organizations outside of that area. These are its key provisions:
- The right of access by data subjects to know whether their data is being collected and processed, for what reasons, and with whom it’s being shared
- The right for a data subject to know what personal data is being collected and to whom the data was or is being sold
- The right to deletion, which requires an organization to delete on demand the personal data held about a data subject
- The requirement for organizations using Californians’ data to implement appropriate organizational and technical data protection measures to safeguard personal information
- Special protections for the personal data of children under age 16
CCPA applies to any organization that operates for a profit, collects personal information on Californian consumers, controls what happens with the processing of that information, and meets one of these three criteria:
- The organization has annual gross revenues of more than $25M
- The organization buys, receives, sells, or shares the personal data of 50,000 or more Californian individuals, households, or devices per year
- The organization makes more than half its annual revenue from selling the personal information of Californian consumers.
The proposed fines for failure to comply with the CCPA are steep: $2,500 per person per violation with no maximum for accidental breaches, and $7,500 per person per violation with no maximum for intentional violations or situations in which the business has failed to take required and reasonable steps to protect its data. It also allows people to sue for breaches at $100 to $750 per incident or higher. Given the number of records commonly affected by a data breach, these penalties could soar into the millions of dollars for a single incident.
If you need a useful checklist for preparing for the CCPA, we like this extremely readable report by Osterman Research about the CCPA’s requirements and the specific steps companies should take to ensure compliance. If that still seems a little overwhelming, contact us for help.