Get ready to comply on January 1, 2020
California passed the California Consumer Privacy Act (CCPA) in early 2018, a landmark policy with some of the most stringent data-protection provisions in the country. Inspired by the European Union’s General Data Protection Regulation (GDPR), the CCPA is designed to give consumers control of their data.
California may be only one state, but because of its size, population, and vibrant technology industry, the CCPA will have consequences far beyond its borders. With nearly 40 million residents, most companies in the US have some kind of interaction with California residents and will need to comply with this new legislation.
What is the CCPA?
CCPA applies to companies that conduct business in the state of California or collect or process personal information about California residents. It applies to businesses that meet at least one of the following criteria:
- Generate gross annual revenue of more than $25 million
- Buy or share personal information about 50,000 or more consumers, households, or devices
- Derive at least one-half of annual revenue from selling consumers’ personal information.
Significant penalties for non-compliance
Under CCPA, the state will impose fines of $2,500 per incident for unintentional breaches and $7,500 per incident for intentional violations. It also allows consumers to recover up to $750 per incident, or more if the consumer can show actual damages that exceed $750. The amounts might seem modest, but CPPA penalties have the potential to be substantial, especially if the CCPA decides on a per-consumer per-incident model.
The CCPA will require new capabilities for managing consumer inquiries. A company will need multiple channels to receive consumer requests, verify they are legitimate, make data available in a portable format, make exceptions for data that needs to be retained, and resolve disputes.