On January 1, 2020 California's CCPA, short for California Consumer Privacy Act, went into effect. Similar to the European Union's General Data Protection Regulation(GDPR), CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. In this article we cover the three areas of concern for business owners: What is CCPA, does it impact my business, and what are the penalties?
What is CCPA and What Protections Does It Provide?
The California Consumer Privacy Act are a set of regulatory laws passed in June of 2018 and now in effect as of January 1, 2020 that impacts websites conducting business in Californa. According to the CCPA website, the act protects the following consumer rights:
- Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
- Right to refuse the sale of their information
- Right to request deletion of their data
- Mandated right to opt in before the sale of information of children under 16
- Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
- Enforcement by the attorney general of the state of California
- Private right of action should breach occur, to ensure companies keep their information safe
Does CCPA Impact My Business?
While your business may not meet the criteria for CCPA, it is worthwile to review and learn more as these regulations are certain to spread to other states, just as GDPR impacts businesses in the U.S. and globally. What businesses are potentially liable? All businesses that have a website that may engage consumers in California and gather user data are subject to CCPA if they meet any of the following criteria:
- Any business that earns $25 million or more in revenue per year
- Sells 50,000 consumer records per year
- Derives 50% of its annual revenue from selling personal information
This includes businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located.
What Are The Penalties?
Considering that privacy and protecting consumer data is important to customer trust and good for all of us, we feel that the best approach is to comply regardless of penalties as a best practice and to future proof your business against future litigation. That being said, there are some very real implications to businesses that meet the aforementioned criteria. These penalties include:
- Businesses have 45-days to respond to consumer requests or challenges
- CCPA allows 30-days to amend reported violations
- Up to $750 paid in damages per consumer due to a data breach
- Up to $7,500 per intentional violation (if previosly claimed as amended)
What Can You Do To Be In Compliance and Protect Your Business?
If your business meets the criteria for potential liability due to non-compliance, you will need to take action as soon as possible. There is a 6-month rollout period where demonstrating that steps to being made to comply with CCPA will prevent litigation for minor breaches. For everyone else, these steps will also protect against future violations as regulation becomes more widespread.
- Engage a data processing consultant for CCPA and GDPR compliance issues
- Develop a strategy and policy for consumer data protection and make this policy available from your website
- Be prepared to address consumer requests relating from data concerns including the ability to provide all collected data, opt-out, and ability to delete
- Implement required website updates coordinating with your website developer and/or using a number of third-party solutions that can assist in compliance with review, monitoring, and drafting privacy policies
How Can Cyber-NY Help with CCPA Changes?
If you currently host your website on our Logic Cloud Platform, we are implementing updates that will help with compliance. Similar to GDPR updates to Logic, a modal message can be added to notify visitors of cookie and third-party data collection policies that can link to a data usage policy page containing customer support details and a request form for data inquiries. Check with your Cyber-NY rep to conduct a review of your website and evaluate necessary updates.