Share This Article:Share on FacebookTweet about this on TwitterShare on LinkedIn

The California Consumer Privacy Act of 2018, known as CCPA, is a data privacy law aimed at protecting the personal information of California consumers. Frequently compared to the UK’s expansive GDPR, CCPA will have a big impact on how companies collect, store, and process personal information of California consumers.

As the clock ticks closer to implementation in January 2020, companies must begin preparing their data environments, and non-compliance will result in big fines. To prepare, start by answering these five questions:

1. Will CCPA Affect Me?

CCPA applies to any for-profit entity that does business in California, collects personal information about California consumers, and meets at least one of the following criteria:

  • Earns annual gross revenue above $25 million
  • Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices, or
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information

If any of these criteria apply to you, or you think they might in the future, now is the time to ensure that your data governance program is on track so you can be ready for compliance come January 2020.

2. Does my Business Collect “Personal Information” as Defined Under CCPA?

The law aims to bring transparency to collection and storage of personal data and give individuals greater control over their personal information. Under the law, personal information is defined as any information that:

“Identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly with a particular consumer, household or employee.”

This definition casts a fairly wide net. It includes (but isn’t limited to) certain obvious identifiers like names, addresses and email addresses, but also to web browsing information and inferences drawn from other information sources to create a consumer or personal profile.

The exact boundaries of what will be considered “personal information” under CCPA will likely remain unknown until after the law goes into effect. Companies that don’t have a flexible, scalable data classification system that can help them adapt to interpretations of PII will be in trouble when CCPA is implemented.

3. What Rights do CA Consumers Have Under CCPA?

CCPA includes a wide array of reporting, disclosure, and opt-out provisions to help protect consumer privacy, including:

  • CCPA gives consumers the right to know about a company’s data collection practices, such as types of information collected, how the information is collected, the reason for collecting it, and who the information is shared with.
  • Consumers may submit a Verifiable Consumer Request to find out which information the business, or third-party data brokers, have collected about them.
  • Businesses must disclose the sale of personal information, and give consumers control over what can be sold and when. Businesses that sell data must have a clearly identifiable location on their website homepage labeled “Do Not Sell My Information.”
  • Consumers may request that their personal information be deleted unless it is needed to complete a transaction, or comply with a state or federal legal obligation.

Companies should make an honest assessment of whether they have systems in place to abide by these standards starting in January 2020.

4. How Will This Affect My Business?

In order to comply with CCPA, businesses must implement a process to authenticate and respond to Verifiable Consumer Requests. To do this effectively, companies must be able to locate all of the consumer’s personal data, understand who has access to it, and how it is used. You have 45 days to respond to each consumer request, so efficiency is key.

Companies must also develop policies around data privacy, collection, retention, and sales to be publicly disclosed on an annual basis. For more detail, check out IAAP’s guide to CCPA disclosure requirements.

Additionally, any employee or contractor that is tasked with handling consumer inquiries must receive training in understanding the rights granted to the consumer and the requirements of a Consumer Request.

5. How Will the Law Be Enforced?

The California Attorney General is the enforcing arm of the CCPA. In the event of a data breach or a clear violation of the CCPA, the Attorney General can seek civil action against the violating business. The penalties are as follows:

For a Violation – $2,500 per violation (accidental) or up to $7,500 per intentional violation

For a Breach where the company fails to implement reasonable security standards, the State or individuals may seek $750 per violation.

The Bottom Line:

While we still don’t know for sure what a post-CCPA regulatory landscape will look like, it is clear that data privacy laws are here to stay, and likely to expand. Noncompliance could be costly, and companies must be prepared to build and implement sound data protection policies today so they can comply with CCPA, and whatever comes next.

Learn more about how Egnyte can help you build compliance into your organization with advanced data governance.