California has passed the most rigorous privacy measure in the United States in decades. The California Consumer Privacy Act of 2018 (CCPA), passed recently, continues the trend of providing more control to consumers over their personal information. The CCPA is estimated to impact more than 500,000 businesses inside and outside of California. Given the broad reach of websites, and the magnitude of California’s economic impact, it is likely that many businesses in the U.S. collect personal information about California residents and are subject to compliance. The CCPA is slated to go into effect on January 1, 2020. Although lawmakers have hinted that amendments could be coming before the effective date, here is what you need to know about the CCPA:
Who is protected by the CCPA?
The CCPA defines “consumers” as natural persons who are California residents. With the fifth-largest economy in the world, there is a strong likelihood that most companies serve consumers in California even without a physical presence in the state.
Who must comply with the CCPA?
A “business” subject to the CCPA is a for-profit entity that does business in the State of California and satisfies one or more of the following thresholds: (1) the business has annual gross revenues in excess of $25 million; (2) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling the personal information of consumers. The calculation of these thresholds includes both parent companies and all subsidiaries. The CCPA does provide certain exemptions for compliance if all aspects of commercial conduct take place outside of California.
What are the key takeaways from the CCPA?
Penalties and Enforcement Under the CCPA
The CCPA provides for a private right of action for unauthorized access to a consumer’s unencrypted and unredacted personal information. The California Attorney General can also impose a fine of up to $7,500 per violation.
What Should You Be Doing to Prepare?
With the CCPA set to go into effect in less than 18 months, businesses should begin an immediate evaluation of whether they will be subject to the new law. On the heels of the General Data Protection Regulation (GDPR), some businesses may already have a framework in place for compliance under the CCPA. However, with an expanded definition of “personal information” under the CCPA, all businesses should be proactive in reviewing their current procedures and implementing new protocols to ensure compliance with the law.
Atlanta Cyber Week aims to connect the dots in our cybersecurity ecosystem and contribute to the story of metro Atlanta as a top venue for global commerce. Registration for Atlanta Cyber Week and Cybercon is open now! Visit www.atlcyberweek.com or www.cybercon.us to register.