The California Consumer Privacy Act, also known as the CCPA, was just passed into actual law some time ago. Some of us know the details about it, and probably a larger chunk of the population doesn’t know too much about it, but they have at least heard of the acronym. In many ways, this law has been modelled after the GDPR, which is the European Union’s very own privacy law.
Long story short, the main thrust of the CCCPA is to give the American consumer a much greater control over how their Personal Identifiable Information (PII) is being stored, and who is accessing it, especially that of third parties.
If certain rules and regulations are not followed, the company in question can face some serious financial penalties, and that consumer who was impacted is in a much better position now to file a lawsuit, if that is the route that they choose to go.
But according to a recent study by Apptega, there are still some 85% of businesses out there that still have not come into compliance with the CCPA. Even worse, the study even found that many of these companies don’t even know what they have in the way of the PII about their customers, or even how it is stored or even used.
These companies really need to figure out what is going on here, because there are already some key amendments that have been made to it in order to keep up with the ever-changing Cybersecurity Threat Landscape. So, let’s get started.
Which kinds of businesses does the CCPA impact?
Here is the defining criterion:
*If the business entity has an annual revenue base of at least $25 million or more;
*If it receives or sells the PII of at least 50,000 California consumers or more;
*The business entity generates at least 50% of their gross revenue from the sale of PII based datasets.
In other words, you just don’t have to be physically located in California to be subject to the laws of the CCPA. Suppose you are based in Europe and Asia, and if you meet the above criterion, you are still subject to these laws, in the very same way that the GDPR affects business entities here in the United States that have office in the European Union.
But, the CCPA just does affect those businesses directly that have custody of customer PII datasets. It also impacts even those third parties that have an indirect access to the PII. Here is how the CCPA works in this regard:
*Any third party that has a direct relationship with a company that deals in the selling and receiving of PII are also subject to the CCPA;
*All business entities, even those that are classified as third party, must offer opt out options as well as real time notifications to customers if they choose not to have their PII disclosed to anybody else;
*Businesses, and even third parties, cannot mistreat, abuse, or discriminate against customers who choose to make use of the opt out option.
As described previously, the CCPA has also undergone some recent amendments that you need to know about, if you are doing business in California. Here are some of them:
*Amendment AB 25:
Until January 2021, any emergency or beneficiary information is not considered to be PII.
*Amendment AB 874:
Aggregated consumer datasets are not classified as PII.
Any business that has its operations offline but still maintains a direct relationship with their customers area allowed to use only Email as the primary means in which consumers can contact them in order to be opted out, or to have their PII deleted from the databases.
Any information that is in between an auto dealer and a vehicle manufacturer is not classified as PII, when the work that is being done to the car is still under warranty or is involved in an auto recall.
This includes an exemption until January 21, 2021 for the PII datasets that are collected due diligence exercises, or if the PII has been collected when a receipt has been provided to the customers for the rendering of goods and services by the business in question. Also, data brokers are required to be registered by the California Attorney General.
My Thoughts On This
If you are not compliant with the CCPA ,the financial penalties can be quite steep. For example, you could face up to $750 for each consumer in Civil Court, and up to $7,500 if the California Attorney General decides to come out after you. This is just for general noncompliance. For specific data breaches, the fines are as high as $750 per data record.
So, what can you do to make sure that you are compliant if you do business in California? I am by no means an expert, but your best bet would be to contact a Cybersecurity company that specializes in compliance stuff. There are many of them out there, so a simple Google search should give you a pretty good listing.
However, just don’t pick the one that comes straight to the top, rather conduct your own homework and even interview a few consultants to make sure that not only you feel comfortable with them, but that they also meet your requirements as well. Who ever you pick in the end, should be very well established with Cyber compliance stuff, and even have a list of references that you can contact.
If you are still having some troubles, another route you can take is to contact a law firm that also specializes in compliance stuff. While they may not the be the Cyber specialists, they can for sure at least point you towards the right direction.
Even if your business does not fall under the thresholds described in this blog for falling under CCPA compliance, it is still crucial that you look into your own state’s laws to see if there is anything coming out that is data compliance driven. At this time, there is no federal law in place, and as a result, all of the states are scrambling to come up with their own set of laws.
These will vary quite differently from one another, so you need to stay informed. If you have an online store, and you get customers placing orders even as far away as California, you are still 100% responsible for maintaining the security and integrity of the PII that you are collecting. This only drives home the point even further that you have to know what is being collected, and how and where it is being stored.
Finally, just as much as your accountant may tell you that you need to keep a hold of your tax records for at least seven years, you also need to develop a plan of action as to how you will respond to a query or an even a compliance audit by the California Attorney General (or for that matter, even your own state’s AGs office).
Under the CCPA, you are required to keep detailed information about all of your PII datasets for at least a twelve-month time period.
For more detailed information about the CCPA, listen into this podcast. We get the perspectives from both the legal and cybersecurity fronts: