Has the Golden State set a new gold standard for compliance?
Passed in 2018 and taking effect on January 1, 2020, the California Consumer Privacy Act (CCPA) poses regulatory
compliance challenges for:
- All companies that serve California residents and have at least $25 million in annual revenue.
- Companies of any size that have personal data on at least 50,000 people; or that collect over half their revenue
from the sale of personal data.
Headlines and reports about the free sharing of sensitive private information have spurred a wave of legislation that
has compliance experts and risk management officers on high alert.
Framed by this context, the CCPA was passed to give consumers five key data privacy rights:
- The right to know what personal information is being collected about them;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to say no to the sale of personal information;
- The right to access their personal information; and
- The right to equal service and price, even if they exercise their privacy rights.
The CCPA places data privacy obligations, and the burden of compliance, upon any organizations that collect data from
California residents – similar to GDPR, now enforced in Europe, and the SHIELD Act, which has recently impacted data
privacy and security requirements in New York state.
What’s notable about the CCPA?
The California law’s significance lies not only in the rights it grants its consumers; but also in its broadened
definition of private information. Historically, compliance experts have known to advise companies of the risks
surrounding highly confidential information: social security numbers, drivers’ licenses or data connected to bank
accounts.
But under the CCPA, personal information is defined as any information that identifies, relates to, describes, is
capable of being associated with, or could reasonably be linked with a particular consumer or household. In addition
to the data identified above, regulations now exist regarding the following:
- Names, aliases and addresses
- Online identifiers and email addresses
- Personal information including age, race, color, religion, marital status, disability and gender identity
- Medical conditions
- Commercial information, including records of personal property, products or services
- Biometric information such as fingerprints, retina scans or facial recognition
- Internet search history
- Geolocation data
- Professional or employment-related information
- Requests for family care leave, medical leave or disability leave
What are the penalties for not being in compliance with CCPA?
Once regulators advise them of a violation, companies have 30 days to comply with the CCPA. After that, failing
resolution, fines accrue of up to $7,500 per record.
Bottom line: businesses dealing with California clients will need powerful new compliance tools at their disposal.
And while California may be among the first states to pass such an expansive privacy law, it will likely not be the
last. Our CyMetric solution can help your company maintain and demonstrate compliance with CCPA and other sets of
data privacy and data security mandates and regulations.