On the heels of the EU’s General Data Protection Regulation (GDPR), California passed the strictest privacy law in the country, giving consumers unprecedented control over their personal data and imposing new penalties on businesses that don’t comply. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, gives businesses that collect or sell California consumers’ personal information approximately 18 months to evaluate their business risk and implement steps to comply with this law.
California’s newly enacted law will impact any business with customers in California that have annual revenue exceeding $25 million or personal data for more than 50,000 consumers, or derive more than 50% of their annual revenue from selling consumers’ personal information.
Consumer Rights and Impacts of Enforcement
Notable protections afforded to California consumers include: the right to know all the data collected by a business; the categories and specifics on personal information that is collected; the sources of this personal information; the business purpose for collecting or selling personal information; the third parties with whom the information is shared and the right to have their personal information deleted.
CCPA provides consumers a private right of action for violations of the law, imposing penalties for violation of up to $750 per consumer per incident. The potential impact of these penalties is significant: a company that suffers a breach affecting 100,000 records with personal information can result in a potential fine of up to $75 million. An example of a violation includes the unauthorized access or disclosure of a consumer’s nonencrypted or nonredacted personal information. In addition, consumers who have suffered a data breach can sue companies for failing to protect their data under CCPA. This legislation creates a new avenue for privacy consumer class action litigation which, until now, has been difficult to move forward because the breach event could not be traced to specific consumer damage.
Evaluating Your Risk
CCPA compliance assessment requires review of current protocols for consumer data collection and processing. Critical privacy controls include:
-- A method to accept consumer requests for personal information.
-- Development of requisite data collection and data selling tracking processes.
-- The disclosure and delivery of consumer personal information with specific detail, as required under CCPA.
-- Provide a clear and conspicuous link on the business’ internet home page titled “Do Not Sell My Personal Information.”
-- Ensure that consumers are not discriminated against for opting out.