CCPA: The 1st Major American Foray into Comprehensive Data Privacy Regulation
Data protection in the United States is about to undergo a major change, and everyone needs to be ready.
The California Consumer Privacy Act (CCPA), signed into law June 28, 2018, enters into effect Jan. 1, 2020. It creates several new obligations for many United States-based businesses with regard to the collection, treatment, and sale of personal information.
CCPA applies to for-profit entities doing business in California that satisfy at least one of the following thresholds:
has annual gross revenues in excess of $25 million;
annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or
derives 50 percent or more of its annual revenues from selling consumers' personal information.
The CCPA text makes clear the regulation is geared toward providing regulators and consumers with greater control over the personal information that enters the stream of commerce. CCPA generally provides restrictions and limitation on the “sale” of personal information, but the regulation defines “sale” broadly enough that it includes many “free-to-download” products and services common in today’s marketplace, as well as the transfer of information to third parties.
What CCPA Means for Your Business
$2,500 for every unintentional violation;
$7,500 for every intentional violation; and
Private right of action. Consumers may recover statutory damages for data breaches of their personal information.
Although CCPA shares some similarities with the General Data Protection Regulation (GDPR), the laws impose different obligations and regulate different data. Companies shouldn’t assume CCPA will have an insignificant impact on their business if GDPR compliance has already been assessed. In light of the aforementioned penalties and the limited window for responding to consumer requests, coupled with the impending Jan. 1, 2020 effective date, organizations should begin evaluating their data privacy and general information practices. Specifically, companies in the IT, marketing, and SaaS spaces should consider in advance whether they might be subject to the new law. While it may not be possible to get everything in order by Jan. 1 for companies just getting started, it is advisable to not delay compliance efforts.