If You Do Nothing Else for the CCPA, Do This…
Secure your data. Really. If you do nothing else for the looming CCPA, secure the personal information you hold.
It’s not as if this hasn’t been either a sensible or a required step in the past. But if you haven’t been paying rapt attention to the cacophony of CCPA commentary, opinions, draft regulations, and urgent to-do lists, here is arguably the step that will have the most direct benefit: secure your data.
The California Consumer Privacy Act of 2018 sets a new, higher standard in the U.S. for a consumer’s control over their otherwise unregulated personal information. Putting aside the effectiveness of how companies implement the CCPA, Californians as of January 1, 2020 will have enhanced rights to access their data (1798.100), to request that it be deleted (1798.105), know what categories of their information have been collected (1798.110) and sold (1798.115).
As of January 1, 2020, data breaches in California — the world’s 5th largest economy — will become much more expensive — and perhaps the most expensive in the world. The California AG has the opportunity to intervene, but given the resource challenges, the reality is that the plaintiffs’ bar will own the lead.
California “businesses” are struggling to understand and implement these rules. Additionally, organizations are assessing how to revise their privacy policies, what operational changes are recommended to manage the law, and let’s not even touch the kerfuffle surrounding third party advertising and especially ad networks. Given the law’s ambiguity and the myriad questions the ‘clarifying’ draft regulations have derived, this leaves companies around the world wondering how to properly comply with the CCPA.
The CCPA provides consumers with many rights that most organizations already support. But, to the extent that a company falls short of the new requirements, keep in mind that most CCPA enforcement is delegated solely to the California Attorney General. Although the CA AG is an aggressive enforcer of California’s laws, there are many resource constraints. The AG’s office has many laws to enforce, and in the context of the CCPA specifically there may be high profile companies whose data handling attracts more attention that your own imperfect compliance.
The CCPA permits individual consumers to assert a legal claim for damages when the consumer’s personal information has been lost — or subject to a data breach in official parlance. This means that any data breach after January 1, 2020 involving California residents is subject to the CCPA and its statutory damages of up to $750 per violation. While $750/person is not a huge number, if there are a great many people affected the numbers add up and the attraction for plaintiffs’ lawyers is understandable.
All of this leads to the priority of securing personal information by all companies holding California personal information and especially those that cannot afford to comply fully. Organizations of all types will lose data. This is today’s reality. But if a company applies the data security guidance that the California AG has identified as constituting reasonable security, then a firm will have a significant defense against claims that the loss of personal information was irresponsible or inconsistent with best practice.