Think California’s New Privacy Law Doesn’t Apply to You? Think Again.

By Alex Koskey, CIPP/US

California has passed the most rigorous privacy measure in the United States in decades. The California Consumer Privacy Act of 2018 (CCPA), passed recently, continues the trend of providing more control to consumers over their personal information. The CCPA is estimated to impact more than 500,000 businesses inside and outside of California. Given the broad reach of websites, and the magnitude of California’s economic impact, it is likely that many businesses in the U.S. collect personal information about California residents and are subject to compliance. The CCPA is slated to go into effect on January 1, 2020. Although lawmakers have hinted that amendments could be coming before the effective date, here is what you need to know about the CCPA:

Who is protected by the CCPA?

The CCPA defines “consumers” as natural persons who are California residents. With the fifth-largest economy in the world, there is a strong likelihood that most companies serve consumers in California even without a physical presence in the state.

Who must comply with the CCPA?

A “business” subject to the CCPA is a for-profit entity that does business in the State of California and satisfies one or more of the following thresholds: (1) the business has annual gross revenues in excess of $25 million; (2) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling the personal information of consumers. The calculation of these thresholds includes both parent companies and all subsidiaries. The CCPA does provide certain exemptions for compliance if all aspects of commercial conduct take place outside of California.

What are the key takeaways from the CCPA?

  • Right to Information: A consumer has the right to request that a business disclose the categories and specific pieces of personal information collected by the business and whether that information is shared or sold to third parties. A business must provide this information free of charge within 45 days of receiving the request from the consumer.
  • Right to Notice: Businesses which collect personal information will be required, at or before the time of collection, to inform consumers the categories of information that will be collected and the business purpose for which the personal information will be used.
  • Right to Opt-Out: Consumers have the right to object and opt-out of the sale or sharing of their personal information. Businesses will be required to include an option on their website where consumers can select “Do Not Sell My Personal Information” in order to opt-out.
  • Right to Delete: A consumer will have the right to request that a business delete any personal information which the business has collected from the consumer.
  • Opt-In Requirement for Minors Under 16: The sale of personal information of children under 16 years old will require an opt-in. For children between 13 and 16, the child can provide the opt-in. For children younger than 13, the parent must provide the opt-in.

Penalties and Enforcement Under the CCPA

The CCPA provides for a private right of action for unauthorized access to a consumer’s unencrypted and unredacted personal information. The California Attorney General can also impose a fine of up to $7,500 per violation.

What Should You Be Doing to Prepare?

With the CCPA set to go into effect in less than 18 months, businesses should begin an immediate evaluation of whether they will be subject to the new law. On the heels of the General Data Protection Regulation (GDPR), some businesses may already have a framework in place for compliance under the CCPA. However, with an expanded definition of “personal information” under the CCPA, all businesses should be proactive in reviewing their current procedures and implementing new protocols to ensure compliance with the law.

Atlanta Cyber Week aims to connect the dots in our cybersecurity ecosystem and contribute to the story of metro Atlanta as a top venue for global commerce. Registration for Atlanta Cyber Week and Cybercon is open now! Visit www.atlcyberweek.com or www.cybercon.us to register.