California Consumer Privacy Act Will Impact Businesses That Collect and Receive Personal Data
Friday, December 06, 2019
A law to protect the privacy of California consumers takes effect Jan. 1, and businesses that don’t comply with the mandates by July 1 will face stiff fines.
The California Consumer Privacy Act (CCPA), amended and signed into law Sept. 23, broadly expands the rights of consumers and requires companies to be significantly more transparent in regard to how they collect, use and disclose personal information. Those that don’t play by new rules could potentially face millions of dollars in penalties.
The U.S. government has yet to implement a federal privacy law similar to Europe’s General Data Protection Regulation, so individual states have begun to craft their own measures. When enacted, California’s privacy act will be one of the most restrictive bills of its kind in the nation and likely will impact tens of thousands of businesses worldwide that collect California consumers’ personal information.
WHAT BUSINESSES WILL BE AFFECTED?
The law will apply to a business if it, or an entity it controls or that controls it, collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:
- Has annual gross revenue that exceeds $25 million
- Annually receives, buys, sells or shares directly or indirectly the personal information of 50,000 or more California residents, households or devices
- Half or more of its annual revenue comes from the sale of personal information about California consumers
Elizabeth Gallagher, chief revenue officer of Lineate, a New York-based software development company that helps businesses accelerate their growth and revenue, said the CCPA will affect a broad spectrum of large companies, including retail chains and technology firms.
“This will affect companies that do a lot of online advertising,” she said. “They need to be prepared. It’s time for businesses to think more proactively about how they handle consumer data.”
Under the privacy act, state Attorney General Xavier Becerra will be empowered to bring action against any company or person who violates the law. And fines for noncompliance could add up quickly, according to a report from TrustArc, privacy compliance and data protection firm.
The law allows for fines of up to $2,500 per violation or $7,500 per intentional violation, the report said, adding that there’s no cap on the total amount of fines that can be accrued.
A violation impacting 10,000 California consumers could carry a penalty of $25 million, TrustArc said, but that could rise to as much as $75 million for a business that intentionally skirts the law.
The law also allows consumers to seek statutory or actual damages if their sensitive personal information is subject to unauthorized access, theft or disclosure as a result of a business’ failure to establish and maintain required reasonable security measures. That wouldn’t apply if the personal information is redacted or encrypted.
Statutory damages can be between $100 and $750 per California resident per incident, or a consumer could seek actual damages — whichever is greater.
“The new regulations signal a shift in expectations between customers and companies, and so companies will have to work harder to gain and retain customer trust,” the report said.
FACEBOOK FACING A BIG PAYOUT
One mega tech firm is already learning that the hard way.
The Wall Street Journal reported recently that the European Union is close to winding up its investigation into cases it opened against Facebook under the EU’s General Data Protection Regulation. Under the GDPR, fines for violations can be up to 4% of a company’s worldwide revenue for the previous year. In Facebook’s case, that could reach $2.23 billion.
The social media company recently settled with the Federal Trade Commission in the U.S. over privacy violations. That required the company to pay $5 billion, the largest fine in FTC history.
Some of the nation’s largest data breaches have compromised the personal information of millions of customers. Yahoo suffered an attack in 2013 that affected 3 billion records, and this year’s data breach at First American Financial Corp. impacted 885 million records. Other breaches have affected records at Marriott International and Friend Finder Networks, among others.
A COMPLIANCE ROAD MAP
TrustArc’s report provides a road map for what businesses will need to do:
- Build a compliance program and assemble a team to address privacy protection
- Assess risks and create awareness
- Design and implement operational controls
- Manage and enhance the controls
- Demonstrate ongoing compliance
All of that will come at a cost. But it will be money well spent, according to Gallagher.
“Companies need to make sure they are abiding by the law,” she said. “That makes far more financial sense than getting hit for noncompliance… and there are so many ways that can happen when you aren’t careful.”
Category: Advocacy News