California Privacy Act: What you need to know

The introduction of GDPR in Europe in 2018 means that many organizations globally have already adapted their policies to comply with privacy regulations, but the start of a new decade brings even more change to the regulatory landscape as California becomes the first state in the United States to introduce a privacy act. The California Consumer Privacy Act (CCPA) which came into effect on January 1^st will undoubtably help shape the future of privacy regulations in North America.

In this blog we’ll look at the key parts of this legislation and what it means for business.

The California Consumer Privacy Act (CCPA) is legislation that passed into law on June 28th, 2018. It is intended to enhance privacy rights and data protection for consumers by legislating how organizations can store and use private data. Major data breaches such as those at Facebook and Google have put data privacy into the spotlight for consumers so this is a welcome addition to the data protection landscape.

The CCPA applies if you are an entity that does business in the state of California and you collect personal information in addition to meeting at least one of the following criteria:

• Have annual gross revenues in excess of $25 million
• Possess the personal information of 50,000 or more consumers, households, or devices
• Earn more than half of its annual revenue from selling consumers’ personal information

At first glance many small businesses may assume the CCPA may not apply to them as they are unlikely to meet the $25 million revenue criteria. But possessing the personal information for 50,000 or more consumers, households or devices is likely to encumber many organizations. Take for example an enterprise software company; it doesn’t take much to exceed 50,000 devices. Organizations need to pay careful attention to this criterion and ensure they are in compliance with this regulation.

If you are a company that has taken steps to comply with GDPR regulations, you will likely find that you are already in compliance with most of the requirements for this new legislation. Below is a summary of what is required.

1. Include a “Do Not Sell My Personal Information” link on your home page. Or if you dont sell this information make this very clear by updating your privacy policy.
2. Ensure you have a mechanism in place to allow users to request access to any information you may collect about them and the ability to delete this data if requested. A good example can be found on our own privacy policy.
3. Ensure you have an established method of consent before selling personal data and make sure users have to opt-in to this requirement.

Fines will be levied for businesses that are not in compliance with this new regulation. You will first be notified by the appropriate body and have 30 days to comply. If you do not comply within this time frame a civil case can be initiated against the company and will carry a fine of $7,500 per incident.

The fine will be levied against each customer you have breached the rights of. If you have breached the rights of 100 customers, then your fine will be $750,000 dollars. Companies must take this new regulation very seriously as fines of this size have the potential to close many businesses.