The California Consumer Privacy Act represents a significant milestone for consumer data privacy in the U.S.
Tired of the federal government dragging its feet on consumer data privacy legislation, states have started to take matters into their own hands. The biggest example is the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. Ironically, the CCPA was signed into law the day after news of the Exactis data leak broke.
Who must comply with the California Consumer Privacy Act?
The CCPA applies to any for-profit entity “doing business” in the state of California, whether or not they have a physical presence in the state, that meets at least one of the following criteria:
- Gross annual revenue above $25 million
- Annually buys, receives, or shares personal information belonging to 50,000 or more California consumers, households, or devices
- Derives at least half of annual revenue from selling personal information belonging to California consumers
What’s in the CCPA?
While the CCPA doesn’t go as far as the GDPR, which applies to the entire European Union and not just one member state, it has a lot of moving parts and gives California consumers sweeping new rights regarding their data and what companies do with it. Under the CCPA, California residents will have:
- The right to know what information companies are collecting, what categories of data will be collected prior to collection, and why they are collecting it. Companies will be prohibited from collecting data from minors under age 16 unless they opt in.
- The right to prohibit companies from selling their information.
- The right to know the categories of third parties with whom their data is being shared.
- The right to know the categories of sources of information from whom their data was acquired.
“Selling” and “personal information” defined very broadly
Businesses should note that under the CCPA, the act of “selling” personal information does not necessarily require that money be exchanged. It also applies to “disclosing, disseminating, making available, transferring,” and more. Companies also won’t be able to get away with burying “do not sell” instructions in a TOS the size of “War & Peace.” The CCPA requires a “clear and conspicuous” section on business websites specifically titled, “Do Not Sell My Personal Information.”
The CCPA also greatly expands the definition of “personal information” to refer to anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It then goes on to list a number of specific examples, including IP address, browser history, biometric data, and geolocation data.
Businesses can be fined up to $7,500 for each violation of the CCPA.
As California goes, so goes the nation. Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island are among the states that have proposed laws very similar to the CCPA, and enterprises can expect similar legislation or even ballot initiatives in other states.
While January is coming up fast, there’s still time to get ready for the CCPA if you start right now. Businesses that already comply with the GDPR have a leg up on CCPA compliance.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.