Running a company is never simple. But for companies that do business in the State of California, things just became more complicated. On January 1, 2020, the state’s landmark consumer privacy law, known as CCPA (California Consumer Privacy Act) came into effect. Failure to comply with the new legislation, the first of its kind in the US, could be a very costly experience.
Does CCPA apply to all companies that do business in California?
No, it doesn’t apply to all companies. However, a company must comply with CCPA if it fits any of the following 3 criteria:
- It collects the personal information of 50,000 or more people, households or devices every year
- It has an annual gross revenue above $25 million
- 50% or more of annual revenue comes from selling consumer personal information
The new law is designed to prevent personal information from being used without permission to generate profits. So typically, CCPA will cover the likes of retailers, mobile service providers, app and website operators and other companies which collect personal data for commercial reasons.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What information does it cover?
Basically, CCPA gives Californians the right to see all types of personal information that companies have collected. The legislation gives a very wide definition of “personal information” – from basic details such as name, postal address and e-mail address, to more complex information such as consumer preferences and internet activity.
The only information not covered by CCPA is “publicly available” information, which means information that is available from federal, state, or local government records.
What happens if I don’t comply with CCPA?
An intentional violation is liable for a fine of up to $7,500 for each violation. In addition, the law paves the way for individuals to recover between $100 and $750 per such incident. It is also possible that each separate piece of information will be considered a separate violation.
When you start doing the math, for a company with information on just a few thousand people, failure to comply with CCPA could amount to a huge bill.
How can I make sure I comply?
If your company collects personal data, there are several steps you can take to comply:
- Hand over data if requested (a request must be acknowledged within 10 days and delivered within 45 days)
- Give people the chance to opt-out of selling their personal information, with a prominent display spelling out this option
- Assess whether or not your organization is compliant with CCPA and if not, understand what steps need to be taken to become compliant.