On the heels of the EU’s General Data Protection Regulation (GDPR), California passed the strictest privacy law in the country, giving consumers unprecedented control over their personal data and imposing new penalties on businesses that don’t comply. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, gives businesses that collect or sell California consumers’ personal information approximately 18 months to evaluate their business risk and implement steps to comply with this law.
California’s newly enacted law will impact any business with customers in California that have annual revenue exceeding $25 million or personal data for more than 50,000 consumers, or derive more than 50% of their annual revenue from selling consumers’ personal information.
Consumer Rights and Impacts of Enforcement
Notable protections afforded to California consumers include: the right to know all the data collected by a business; the categories and specifics on personal information that is collected; the sources of this personal information; the business purpose for collecting or selling personal information; the third parties with whom the information is shared and the right to have their personal information deleted.
CCPA provides consumers a private right of action for violations of the law, imposing penalties for violation of up to $750 per consumer per incident. The potential impact of these penalties is significant: a company that suffers a breach affecting 100,000 records with personal information can result in a potential fine of up to $75 million. An example of a violation includes the unauthorized access or disclosure of a consumer’s nonencrypted or nonredacted personal information. In addition, consumers who have suffered a data breach can sue companies for failing to protect their data under CCPA. This legislation creates a new avenue for privacy consumer class action litigation which, until now, has been difficult to move forward because the breach event could not be traced to specific consumer damage.
Evaluating Your Risk
CCPA compliance assessment requires review of current protocols for consumer data collection and processing. Critical privacy controls include:
-- A method to accept consumer requests for personal information.
-- Development of requisite data collection and data selling tracking processes.
-- The disclosure and delivery of consumer personal information with specific detail, as required under CCPA.
-- Provide a clear and conspicuous link on the business’ internet home page titled “Do Not Sell My Personal Information.”
-- Ensure that consumers are not discriminated against for opting out.
Best practices for compliance include a thorough information audit to establish what personal data it holds, what it is used for, where it came from, who it is shared with, and how it is stored and transferred. Once the types of data held and processes are established, the legal basis for carrying out data processing should be reviewed and documented. Data security remains an important issue under this regulation. Engage the appropriate experts to evaluate your exposure. The stakes are higher.
After completing an internal audit, organizations should consider engaging legal counsel to identify the specific impact to their business, including compliance, contract language and employee awareness.
An experienced cyber insurance broker plays a critical role as an advisor in this process, providing not only insurance services, but also enterprise-wide risk management guidance. When an incident occurs, cyber insurance responds including covering costs associated with managing an event for unauthorized disclosure of data or a data breach. The insurance pays regulatory fines, where insurable, and it helps you to connect with privacy counsel, forensic computer consultants and communications firms at short notice and preferred rates.
The benefits of mitigating your risk exposure are clear: avoiding fines and penalties and, most importantly, protecting California consumers’ personal information.
San Diego Resources
San Diego has emerged as a national leader in cyber security and regulatory compliance with organizations and events including the San Diego Cyber Center of Excellence and USD’s upcoming Symposium on Cyber Risk, Law and Policy on November 15-16, 2018.
Chris Reese is the Lockton Pacific Series’ Cyber Technology Practice Leader advising clients on cyber and technology E&O risk mitigation and risk transfer. Jim Skeen is a founding board member of CommNexus (now EvoNexus) as well as the Cyber Center of Excellence and works closely with the FBI educating businesses on cyber risk. Jim is also a member of the San Diego CISO Roundtable.