Tag: CCPA implementation

  • CCPA: Worst-Case Scenarios

    https://www.flickr.com/photos/oatsy40/34767677374/
    “Danger” by oatsy40 from Flickr (Creative Commons License)

    The new California Consumer Privacy Act went into effect on January 1, 2020. I’ve received a handful of emails and seen some updates from businesses informing me that their privacy policies have changed, but not as many as I expected. I hope the businesses who are required to comply with this law know the risk they take if opt not to comply with this new privacy law.

    What if There’s a Data Breach

    Like the General Data Protection Regulation in the European Union (GDPR), you have to notify the impacted people if you have a data breach. If you have a data breach impacting personal information, you must notify the individuals “in the most expedient time possible and without unreasonable delay.” In either case, If the breach causes you to notify at least 500 California residents, you must also notify the California Attorney General’s Office.

    If you are in a position where you are entrusted with data that you do not own or license, such as if you are a data storage business, and you have a breach, you must notify the business or person that hired you about the breach.

    CCPA Penalties

    The CCPA is unique in that it is the first privacy law to allow a private right of action. An individual is allowed to sue a company for failing to comply with the CCPA, $100-$750 per violation or their actual damages, whichever is more. This right is limited, however, to situations where there’s unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information because the business failed to use reasonable security measures. That means if the business did everything right and there was still a data breach, an impacted person can’t sue for their damages.

    In addition to individuals suing for damages under the CCPA, the California Attorney General may fine a business for failing to comply with this law, Up to $7,500 per violation.

    My CCPA Cheat Sheet

    Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

  • Do You Have to Comply with CCPA?

    “Please!” by Josh Hallett from Flickr (Creative Commons License)

    The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. This will have a substantial impact on companies that collect and use consumers’ personal information.

    I would not be surprised if the CCPA was direct response to the Facebook-Cambridge Analytica fiasco. Every time I read a provision of CCPA that seems strange, I consider how the law will impact companies like Facebook, Google, and Amazon, and then the provision makes sense.

    Who Must Comply with CCPA

    Businesses must comply with the CCPA. According to this law, a business is

    • A for-profit business,
    • That sells goods or services to California (CA) residents or people domiciled in CA (even if the business is not physically in CA), and
    • Fit at least one of the following three criteria:
    1. Get half their annual revenue from selling consumers’ personal information;
    2. Possess the personal information of more than 50,000 California consumers, households, or devices; or
    3. Have $25,000,000 or more in annual revenue.

    This may help you determine if you have to comply with this law.

    Non-profit businesses are except from CCPA, as are businesses in industries where consumer privacy is regulated by the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, FERPA, and/or HIPPA.

    “Consumer”

    Under this law, a consumer is a natural person, aka a human, that lives or resides in California.

    “Personal Information”

    This law has an expansive definition of personal information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular CA resident or household.” This includes a consumer’s real name; alias; address; unique personal identifier; IP address; and email address. It also extends to other identifiers, including account names; social security and/or tax identification number; driver’s license number; passport number; military identification number; unique biometric data; and any unique identification number issued on a government document.

    Not just these, it also includes records of personal property or services a person has purchased or considered; purchasing histories or tendencies; browsing history; geolocation data; professional or employment information; and/or education information.

    This list is massive. Basically, it’s any information that identifies or could identify a natural person.

    There are a few exceptions to this definition: aggregate data, deidentified data, and information that is lawfully made available in federal, state, or local government records are not personal information. Neither is personal information obtained from employees, contractors, and job applicants.

    “Sale of Personal Information”

    The definition for the sale personal information includes “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.” Essentially, it includes any way a company might share a consumer’s personal information, even if you don’t make money from it.

    Data Broker Registration

    The CCPA requires any business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship to register as a data broker with the CA Attorney General’s (“AG’s”) Office by January 31, 2020 and pay a registration fee. If you don’t register, the penalty could be up to $100/day plus any costs in the action against you brought by the AG’s Office.

    My CCPA Cheat Sheet

    I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.