The California Consumer Privacy Act (CCPA) comes into effect on 1st January 2020. The bill was drafted to help enhance consumer protections and safeguard California residents’ right to privacy.
Many have compared the CCPA to the General Data Protection Regulation (GDPR), suggesting it marks a shift towards a more restrictive European style data protection/privacy regime. While the CCPA certainly has similar provisions to the GDPR, it is not as all encompassing. Here are some of the main points to keep in mind when building a CCPA compliance system.
The organizations that must comply – large & California based
One area of distinction between the GDPR and the CCPA is in scope. The GDPR applies to all organizations that process the personal data of EU/EEA residents, irrespective of their size of location (the GDPR can apply to organizations based outside of the EU). The CCPA only applies to large California based organizations or those whose primary business is the sale of personal information. More specifically, there are three types of business that will have to comply: (i) companies with more than $25 million in gross revenue, (ii) businesses with data on more than 50,000 consumers and (iii) firms that make more than 50% of their revenue selling consumer data (i.e. data brokers).
The CCPA introduces a number of requirements that businesses in scope will need to abide by. Many are similar to the GDPR. For example, Title 1.81.5 of the CCPA states that organisations are required to “implement and maintain reasonable security procedures and practices”, much like Article (5)(1)(f) of the GDPR which mandates that personal data must be “processed in a manner that ensures appropriate security of the personal data”.
Similarly, the requirement that organisations “designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number” (Cal. Civ. Code 1798.130(a)) and that they “update privacy policies with newly required information, including a description of California residents’ rights” (Cal. Civ. Code 1798.135(a)(2)) seem inspired by the comparable subject access requests and privacy information requirements in GDPR.
Failure to comply with the CCPA, whether intentionally or otherwise, can result in regulatory fines or class action law suits. Once again, the CCPA’s fine’s schedule represents a departure from the GDPR. Whereas the GDPR can result in fines of up to 20 million Euros or 4% of global turnover, the CCPA has a rather more modest punishment of a “fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation” (Cal. Civ. Code 1798.155).
Additionally, “companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it” (Cal. Civ. Code 1798.150).
What should my organization do next?
The first step should be to determine whether the CCPA applies to your organization. That is, do you fall into any of the following categories: (i) companies with more than $25 million in gross revenue, (ii) businesses with data on more than 50,000 consumers and (iii) firms that make more than 50% of their revenue selling consumer data (i.e. data brokers).
The next step will be to implement the policies and processes to ensure you meet the requirements of the new legislation.
It is here that Apomatix can help. We have built a software product to aid organizations who need to comply with the CCPA. Launching in November 2019, our automated solution will guide you through the specific requirements and provide you with targeted advice on how to implement the necessary controls. For the latest information, please subscribe to our mailing list.