The California Consumer Privacy Act (CCPA) was signed into law and immediately effective on June 28, 2018 with, for very interesting political reasons, enforcement deferred until 2020. CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold. The American Bar Association considers CCPA to be “the absolute toughest data privacy law in the United States” and calls out the tone of the legislation as “quite aggressive.”
Many within compliance circles closely compare it to GDPR (European Union’s General Data Protection Regulation). While there are significant differences, it is a reasonable comparison from a data protection, cybersecurity and controls standpoint. There continues to be lots of misinformation (circulating about who is in and who is not, perhaps partly due to this comparison to GDPR. While GDPR covers any organization that solicits, collects, processes or stores the personal data for any EU citizen, CCPA is more lenient about which organizations must comply. The CCPA only applies to businesses that meet any of these triggering criteria:
- Has annual gross revenues in excess of $25 million (a)
- Captures or stores the personal information of 50,000 or more California consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information and does any business in California
- The law is ambiguous if the $25 million refers to total or California only revenue. Most opinions seem to be lining up that the threshold refers to California derived revenue only. Ultimately, the courts may be the ones to resolve this issue.
There are businesses that will be exempt from CCPA. They are:
- Medical information or protected health information governed by California and federal health information privacy laws
- Clinical trial information subject to the Federal Policy for the Protection of Human Subjects (the Common Rule)
- Personal information regulated by the Fair Credit Reporting Act (FCRA). (Cal. Civ. Code §1798.145(c)-(d).)
- There are some breach reporting provisions for these exempted areas
Unlike GDPR which established specific penalties, the CCPA provides consumers or groups of consumers the right to bring lawsuits presumably in any amount. Bottom line is that if you are a for-profit business doing business in California, you have a significant physical presence in California or you are collecting California consumers’ personal information, you cannot ignore this new legal obligation.
While CCPA is getting all of the attention heading into 2020, it is also important to be aware that since the year 2000 at least 22 of the 50 states have enacted data protection and privacy laws to varying extents. In 2019 alone, Delaware, Florida, Minnesota and Utah all added data privacy laws with additional states and tougher laws clearly on the way.
BostonCOMPLY’s first-of-its-kind offering takes a truly practical approach to compliance for small and medium businesses from 10 to 5000 employees. Our Practical Compliance Automation™ offering is a hybrid professional services, Software as a Service (SaaS) and targeted training program that can get most clients compliant in 45 to 90 days, establish a proper auditable compliance system of record and basically keep you out of trouble. It is time to get serious about compliance.