Only 46% of employees in the United States had heard of the California Consumer Privacy Act (CCPA) Assembly Bill (AB) 375 as of mid-2019, according to the Eye on Privacy Report. That percentage is unnerving, considering the CCPA could have greater repercussions for U.S. companies than the wide-reaching European Union’s General Data Protection Regulation (GDPR). With the CCPA in effect as of January 2020, what does your company need to know in order to ensure compliance?
Like GDPR, CCPA is designed to give consumers more control over their personal information and privacy. The legislation is complex, but CCPA consumer rights can be broken down into a handful of broad categories:
Consumers have the right to:
Even if your business doesn’t reside in California, you must comply with CCPA if your business meets the following criteria:
The act has a broad definition of personal information as data that: “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This data includes name, address, email address, SSN, medical information, browsing history, biometric information, search history, geolocation information, account names, and more.
Businesses that do not comply with the CCPA face enforcement from the California Attorney General’s office, seeking $2,500 for each violation or $7,500 for each intentional violation. How violation is being defined remains unclear—is it applied per consumer, per time period, etc.? The act also enables consumers to seek statutory damages of $100-$750 per consumer, per incident, for data breaches and violations.
With the ambiguity of the wording of this privacy legislation, a lot remains unclear. However, the need for clear and documented security and personal information privacy protection processes and implementations is concrete. With well defined and closely followed data security protocols in place, companies can not only protect consumers and boost their brand trust, but also ensure compliance with CCPA, GDPR, and the host of security and privacy regulations already in place and soon to come.