Doing Business In California: Impacts Of The CCPA

doing business in california the impacts of the ccpa

2018 was a big year for data privacy regulations. On May 25, 2018, the European Union’s General Data Privacy Regulation (GDPR) went into effect, dramatically increasing the privacy protections available to EU citizens. A little over a month later, the California Consumer Privacy Act (CCPA) was passed as well, defining new requirements for organizations that “do business within” the state of California.

The CCPA doesn’t go into effect until January 2020, but the fact that it passed means that businesses will have to implement increased data security protections. Even organizations that have achieved compliance with the GDPR have work to do due to the strictness of the CCPA regulation.

However, the overall philosophies of the regulations are the same. Both explicitly define the potential regulatory impacts of a data breach (up to $7,500 per incident under CCPA where an incident is each individual breached record) and give individuals increased visibility into and control over their personal data that has been collected, purchased, sold, processed, or stored by a company.

Yes, It Definitely Affects You As Well

No privacy regulation is one-sided. Both individuals and organizations are impacted by any new regulation. Under the CCPA, individuals have several new protections when dealing with affected companies, while these companies must implement the necessary protections for personal data and mechanisms to meet the requirements of the new regulation.

CCPA For Individuals

The CCPA is a rather broad privacy regulation and gives consumers a lot of power over businesses that it applies to (more on that in the next section). Under the CCPA, consumers have the following rights:

  • Request details on the personal information collected by the business.
  • Request deletion of any of the individual’s personal information collected by the business.
  • Request broad categories of information collected about a consumer.
  • Request broad categories of the intended business uses of any collected personal data.
  • Request broad categories of the third parties with whom data will be shared or sold.
  • Request that any business that sells/shares personal information with a third party share certain categories of an individual’s personal information with that individual.
  • Opt out of having any personal information sold to a third party.

Since many “free” services have a revenue model based upon the collection, aggregation, and sale of individuals’ personal data to third parties, the CCPA has a significant business impact. Individuals have the ability to have information deleted or require that information not be sold to third parties, dramatically increasing their personal privacy.

CCPA For Businesses

Since the CCPA has the word “California” in its title, you may think that it doesn’t apply to you. However, the CCPA (like the GDPR) applies to business that are located outside its borders as well. Any business (including non-profits) that “does business in” California is required to comply with its new privacy law.

The CCPA has a pretty detailed explanation of what qualifies an organization as a business subject to the CCPA. If an organization:

  • Collects customer’s personal data,
  • has an annual revenue over $25 million,
  • buys, receives, sells, or shares the personal information of over 50,000 customers, devices, or households for commercial purposes OR
  • derives over half of annual revenue from sale of customers’ personal information,
  • and operates in the state of California

…then the CCPA applies to that organization. If this list of criteria doesn’t apply to your organization, you’re off the hook (which is probably a good thing since the price of compliance with it and GDPR is estimated to be in the hundreds of thousands of dollars).

Here’s What To Do Next

If you are an individual or organization that is affected by the CCPA, it’s a good idea to learn more about the regulation and your rights and duties under it. Individuals have significant privacy protections under the CCPA after the January 1, 2020 activation. Understanding these rights and their potential impacts on services is important. For example, the fact that many businesses may have limited ability to resell your personal information may mean that certain “free” services will have to become paid in order to provide an alternative revenue stream.

Businesses that are affected by the CCPA need to take the necessary steps to become compliant both with protecting personal data and ensuring that individuals can exercise the rights provided by CCPA. Failure to do so can cause significant financial damages since CCPA has a max penalty of $7,500 per incident (where an incident is each individual breached record), so a data breach of even 150 records can push penalties into the millions. Since 86% of companies are not ready for the new regulation, action is needed to meet the deadlines.

The Need For Greater Data Security

For most organizations, the primary concern with CCPA is the protection of sensitive data and the potential impacts of a breach. While an organization needs to implement the mechanisms necessary for compliance with the transparency and control requirements of CCPA, this is a less complicated issue (unless you’re Google or a similar organization where discovery and deletion of data is a nightmare).

Protecting sensitive data from being breached requires a good data security strategy and the right tools for the job. Some organizations offer tools designed specifically to achieve compliance with GDPR, CCPA, and similar regulations. Finding and deploying data security technology that helps with sensitive data discovery and protection and has the ability to track data access and unusual/risky user behaviors (to identify compromised privileged accounts) can go a long way toward achieving compliance with the CCPA and GDPR regulations.

About David: Techthusiast & Avid Traveler.