In an effort to help business owners maintain compliance, this is the latest in a series of articles that provide a state-by-state analysis of data security and privacy regulations.
Going into effect on January 1, 2020 with enforcement beginning on July 1, 2020, the California Consumer Privacy Act of 2018 (the “CCPA” or “Standards”) gives California consumers new privacy rights, resulting in much more granular control over the personal information that businesses collect about them. In many ways, these Standards set the bar for privacy regulation in the United States.
Due to the depth and breadth of regulations imposed by CCPA, these Standards have far-reaching consequences for organizations all over the world. CCPA secures certain rights for California residents including the right to know what personal information an organization holds about them, the right to delete personal information, the right to opt-out of the sale of this information, as well as several others. If your organization does business in California or collects, stores, or processes the personal information of California residents, and you have not yet assessed your organization’s compliance with these Standards, your organization is currently at risk.
Below are commonly asked questions we have received from our clients, including key points about the Standards that you need to know:
Who must comply?
The California Consumer Privacy Act of 2018 applies to for-profit businesses that do business in the state of California and meet any of the following criteria:
There are some specific exclusions to these compliance requirements. For example, non-profit organizations and government agencies are exempt.
What is "personal information?"
The Standard’s definition of “personal information” is one detail that sets it apart from other privacy regulations. This definition is very broad, broader even than the European Union’s definition within the General Data Privacy Regulation (EU), and includes information that identifies, relates to, or could be reasonably linked with a California resident or their household. According to the Standards, this information can include, but is not limited to:
Under these Standards, the definition of personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
What is considered a "breach" of personal information?
These Standards delineate between violations of the regulation and data breaches. Consumers have specific rights in the event of a data breach, including the ability to sue the organization directly. Under CCPA, a breach of personal information is defined as the unauthorized disclosure of the following information in unencrypted and unredacted form: First name or first initial and last name in combination with any of the following:
Outside of a data breach as defined above, all other violations of the requirements within the Standard are handled directly by the Attorney General (AG) who can file civil actions against the offending business, however, the AG does not represent individual consumers in these circumstances.
What should I do to comply?
The California Consumer Privacy Act of 2018 includes a number of privacy-focused requirements meant to provide consumers with control over the data that organizations are collecting about them. In order to comply with the Standards, a robust privacy program is required which includes considerations for the following:
Organizations must develop a privacy program that implements transparency in the collection and use of California resident personal information and timely response to consumer requests and complaints. Organizations must also implement an information security program in order to maintain reasonable security procedures and practices designed to protect this information against unauthorized disclosure.
What is the penalty for non-compliance?
Penalties for non-compliance with these Standards vary based on the type of violation. For data breaches, as defined above, consumers can themselves sue the offending organization under CCPA for monetary damages actually suffered, or statutory damages up to $750 per violation. When suing for statutory damages, the consumer must afford the business 30 days to remediate the identified deficiencies.
Violations that do not constitute data breaches are reported to and handled entirely by the California Attorney General. In these cases, the Attorney General will use consumer complaints and other sources of information to identify patterns of misconduct that may lead to investigations. Investigations may result in a fine of up to $7,500 per-record for intentional violations of the Standard, and $2,500 where violations are lacking intent. Because these penalties are levied per-violation or per-record, they can have significant consequences for organizations that are found to be in non-compliance.
This article is meant to provide a summary of key elements within the Standards that organizations should understand and is not intended to be a comprehensive analysis. Our IT Risk Assurance & Advisory Practice can provide you with the analysis you need and assist your organization in creating a tailored plan to comply with the California Consumer Privacy Act of 2018. For additional information, please contact a member of your DGC client service team, or Scott Goodwin, OSCP, OSWP at 781-937-5722 / email@example.com.