2018 has been the year of regulation in the Information Security community from General Data Protection Regulation (GDPR) to the California Consumer Policy Act (CCPA), privacy and security is more important than ever. 2019 is said to be the year of compliance as companies across the United States begin to look at how the CCPA will impact their business in 2020. In efforts to prepare for January 1, 2020, we have put together the information you need to know about CCPA so, you can start thinking about how you are going to secure your consumers data.
- On, June 28, 2018 the California Consumer Privacy Act of 2018 was a bill passed by the State of California legislature and its governor.
- On, January 1, 2020 the California Consumer Privacy Act of 2018 commences.
- The Act gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information.
- the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
- the right to have a business delete their personal information, with some exceptions; and
- the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
- You must follow the CCPA, if you are a for-profit business that controls and collects California residents information, operates in the state of California, and:
- (a) have annual gross revenues in excess of $25 million; or
- (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis;
- or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.
- The Act also draws in corporate affiliates of such businesses that share their branding. That means that not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
- Personal Information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- The Act can be enforced by the California Attorney General, subject to a thirty-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation.
GDPR and CCPA are a sign that consumer privacy is becoming a priority. We anticipate California being the first of many states that will begin to develop regulation around privacy. Since this law protects California based “consumers” – it will require many companies both in the United States and over-seas to be subject to their requirements, similarly to how GDPR requires the same for those residents in the European Union.
If your organization is interested in learning more about how to secure your data, define your policies and prepare for the 2020, we would love to hear from you to figure out how we can assist, simply fill out this form.