The California Consumer Privacy Act (AB 375), which will go into effect on January 1, 2020, is expected to significantly strengthen data collection and privacy in the USA. Similar to the way the General Data Protection Regulation (GDPR) defined data privacy in Europe, the CCPA regulation is expected to set the standard for data privacy in the USA, and other states will undoubtedly follow California’s example.
What does your organization need to know about this significant California privacy law? Here are three important points.
To Whom CCPA Applies
CCPA applies to companies that do business with California citizens, even without offices in the state of California. This might seem like a limited number of people. Bear in mind, however, that nearly 40 million people live in California — more than in Canada and about 12% of the US population. California also has the fifth largest economy in the world, with a GDP of more than $2.7 million.
In addition, the CCPA regulation only applies to businesses that fall into at least one of these categories:
Earn a gross revenue of greater than $25 million
Buy, sell or share the personal information of at least 50,000 consumers, households or devices, which does not all have to be from California
Derive 50% of its annual revenue from selling personal information
Not surprisingly, many businesses are expected to have to comply with CCPA.
What CCPA Provides
CCPA grants Californians specific privacy rights over their personal data that is being used by businesses and their suppliers. These rights include:
1) Right to know what personal information is being collected about them
2) Right to know whether their personal info is sold or disclosed and to whom
3) Right to say no to the sale of personal information
4) Right to access personal information
5) Right to delete personal information
6) Right to equal service and price, even if they exercise their privacy rights
With CCPA, people have the right to sue if these privacy guidelines are violated, even if there is no breach. However, CCPA also gives businesses 30 days to cure alleged violations.
The Role of Cybersecurity
CCPA stipulates that organizations must implement “reasonable” security measures but does not specify what that entails. However, in the event of a breach that impacts personal data, victims could sue if an organization fails to demonstrate that it implemented such measures. Organizations that already beefed up security controls in response to GDPR will likely have less to do in this respect. However, organizations should preferably make sure that their cybersecurity strategy is up to par, regardless of compliance demands.
At a minimum, organizations must regularly monitor the flow of data within its systems and the systems of its vendors, be continuously aware of every security breach and strategies for mitigation, and quickly understand what personal data may have been exposed and how to react.
Want to learn more about how Panorays can help your company comply with regulations?Contact us.