Issue No. 89January 2020
CCPA, New Security Law for California Businesses, What is It?
Some of you may have heard in the news about the new “CCPA” legislation that went in to place on January 1 this year.
CCPA stands for the California Consumer Privacy Act, and it became effective for California Businesses on January 1, 2020 (2 weeks ago).
For this reason, we thought it would be good to gear this this month’s article on information around CCPA.
Intentions of the CCPA Act
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
Compliance for Business
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information
Organizations are required to “implement and maintain reasonable security procedures and practices in protecting consumer data.
Responsibility and Accountability
- Implement processes to obtain parental or guardian for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.102).
- Designate methods for submitting data access requests, including, at a minimum, a toll-free phone number (Cal. Civ. Code § 1798.130(a)).
- Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
- Avoid requesting opt-in consent for 12 months after a California resident opts out (Cal. Civ. Code § 1798.135(a)(5)).
Sanctions and remedies
The following sanctions and remedies can be imposed:
- Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).
- Privacy notices must be accessible and have alternative format access clearly called out.
Please feel free to reach out to our engineering team with
any of your IT needs:
Phone: 858-952-5400 x0