The California Consumer Privacy Act, or CCPA, is a data privacy law in the state of California. This law applies to every company with $25 million or more in annual revenue, or which generates at least half its revenue from selling personal data, and which collects or stores the personal data of 50,000 or more people.
In addition to California companies, nearly every company that conducts business with a company in California, and/or has resident California customers or gathers personal data about residents in California must comply.
Companies covered by the California Insurance Information and Privacy Protection Act, or IPPA, are exempt from CCPA. This would generally include insurance companies, insurance agents, and support organizations.
Many characteristics that do not fall under the jurisdiction of other data privacy statutes are covered by CCPA. For example, protected classifications under California or federal law such as race, religion, national origin, ancestry, sexual orientation, gender identity, marital status, and military status are considered personal information and need to be handled accordingly. If your organization needs to comply with CCPA, be sure to review its broad definition of “personal information”.
Under CCPA, organizations are required to:
- Provide notice when collecting personal data.
- Allow people to opt-out, view, or delete personal data.
- Have a “Do Not Sell My Personal Information” link for opting out.
- Offer transparency so consumers may easily identify: collected information, why the data was collected, and the identity of third parties receiving shared data. The organization must keep records of consumer requests and their fulfillment for 24 months.
- Disclose the process for assigning a monetary value to personal data and the financial incentives for selling the data.
- Verify the identity of any person who has requested to view or delete personal information, even if the person’s account is password protected.
Enforcement and Fines
Enforcement of CCPA is under the jurisdiction of the California Attorney General.
If an organization is able to “cure” non-compliance in under 30 days, a warning is given instead of a fine. If issued, fines can be levied up to $7,500 per violation plus $750 per affected user. For non-compliance determined as unintentional, penalties start at $2,500.
California consumers play a role in enforcement and can sue an organization that violates CCPA, even with no data breach.
Compliance Best Practices
- Designate a person in charge of data security and privacy for the organization.
- Conduct a detailed analysis of how data flows through the organization.
- Perform a risk assessment of data flow and analyze this information per CCPA requirements.
- Review safeguards of all data systems including network security, email protocols, data collection, data storage, and deletion.
- Mitigate risks through employee training, rigorous data protection policies and procedures, technical controls, governance, and vendor management.
- Keep detailed records of your privacy program and perform regular comprehensive reviews and audits.
- Vet third parties for CCPA compliance. If your company is compliant and they are not, you can be held responsible for breaches.
- Meeting the European General Data Protection Regulation (DGPR) requirements does not mean your organization is also compliant with CCPA. There are many differences and you should review the CCPA to ensure your full cooperation.
Robust systems that protect people’s privacy and data while complying with laws such as CCPA should be a top priority for every organization engaged with personal data. Data breaches and fines for non-compliance can bear high financial costs, and the damage to an organization’s reputation can multiply those losses. If your organization conducts business with even one California resident or intends to in the future, compliance is essential.
For companies handling digital information, a Trust Center is essential in helping your customers understand how you are keeping their data private and secure.
You may contact one of our trust center experts to find out how to get started with a reliable trust center.
Please email us at firstname.lastname@example.org to schedule a no-pressure, free consultation.