What Is CCPA?
CCPA was born from a consumer-driven ballot initiative to protect personal data privacy, much like Europe’s GDPR (though there are important differences). Rather than allow the original ballot initiative to proceed, the California legislature rushed to draft and pass CCPA, primarily because it is considerably easier to amend than a law enacted via the state’s initiative process.
See the details and actions your organization needs to take around CCPA explained below.
When does CCPA Take Effect?
The fast-tracked process produced a law that leaves many details unexplained or open for interpretation.
As such, January 1, 2020 is the date the regulations take effect, but lawmakers left the door open for the state Attorney General to provide guidance and clarification and adopt regulations on or before July 1 2020. Even then, the Attorney General isn’t going to enforce regulations until 6 months after that date.
CCPA introduces the following rights for consumers regarding their personal data:
- Right to know all personal data collected by a business.
- Right to say no to the sale of personal data.
- Right to delete personal data.
- Right to be informed of what categories of personal data will be collected prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know categories of third parties with whom personal data is shared.
- Right to know categories of sources of information from whom personal data is acquired.
- Right to know the business or commercial purpose of collecting personal information.
- Private right of action when companies breach personal data.
Which organizations must comply with CCPA?
CCPA compliance is required of organizations defined in Section 1798.140(6)(1)(A-C). You are obligated to comply with CCPA and have DSAR requirements if ANY of the following apply:
- $25 million+ annual gross revenues.
- 50K or more consumers, households or devices have personal information you buy, receive for commercial purposes, sell, or share for commercial purposes each year.
- 50% or more of your annual revenue is derived from selling consumers’ personal information.
And the following is true:
- You’re a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners. As written, CCPA doesn’t appear to apply to non-profit organizations, but this is one of many items the California Attorney General and/or state legislature will further clarify.
- You “do business” in California. This phrase isn’t defined in the CCPA, but you may assume that it applies to any business, whether or not geographically located in California, that collects and/or sells the personal information of California residents, which would be consistent with California’s tax and corporations codes.
- You collect consumers’ personal information, or someone collects it on your behalf. “Collect” means to buy, rent, gather, obtain, receive, or even accesses information, by any means, whether actively or passively, including by observing a consumer’s behavior.
- You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
Risks of non-compliance with CCPA
Watchdog groups will test the law
We’ve already seen watchdog groups initiate requests to test how well companies have been complying with GDPR, which went into effect in May 2018. Expect this to happen with CCPA as well. If you’re not able to comply with their access requests in a sufficient and timely manner, watchdog groups could go public and refer you to the California Attorney General.
Fines are steep and will rise quickly
Under CCPA, fines are enforced by the Attorney General and can reach up to $7,500 per every intentional violation . Non-intentional violations are subject to a $2,500 maximum fine.
Additionally, CCPA allows affected consumers to file individual or class- action lawsuits against offending businesses. With damages ranging between $100 and $750 per violation, costs could escalate quickly. A data privacy lawsuit could easily put a smaller company out of business.
CCPA Solutions: How WireWheel Can Help
Whether you’re working to meet CCPA requirements or any other privacy mandate now or in the future, building your privacy operations on a suite of privacy solutions will give you the visibility and control you need to be successful.