Despite the Coronavirus (COVID-19) pandemic, the California Attorney General intends to enforce the California Consumer Privacy Act (CCPA) beginning July 1, 2020, pending the anticipated approval from the California Office of Administrative Law (OAL) on the final text of the proposed CCPA regulations. On June 1, 2020, the Office of the California Attorney General submitted the final proposed regulations package under CCPA to the California Office of Administrative Law (OAL). The OAL has 90 days to review the package due to a 60-day extension due to COVID-19.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and was put into effect on January 01, 2020. The law is similar to the General Data Protection Regulation (GDPR) privacy regulation enacted by the European Union. Consumers are provided data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information.
WHO MUST COMPLY?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law.
CCPA 1798.105(d)(1) states businesses do not have to comply with consumer deletion requests if they need to maintain the information in order to “complete the transaction for which the personal information was collected [or] provide a good or service requested by the consumer.”
PENALTIES
Under California law, damages may include:
$100 to $750 per consumer per incident, or actual damages, whichever is greater
Injunctive or declaratory relief
Any other relief the court deems proper
WHAT DO YOU HAVE TO DO TO COMPLY?
In order to comply with the CCPA, organizations need to clearly understand the data they are collecting about consumers. Once the customer data is identified it needs to be mapped throughout the organization to identify where it is stored. Revision of the organization’s privacy policy will need to occur. The organization must provide ways for customers to submit data access requests. This is generally done via at least the web as well as a phone number. A process needs to be developed to handle the request and it must provide results to the consumer within 45 days, free of charge. Finally, employees need to be trained on the new program to ensure compliance. This process can be an arduous task, especially if there is a surge of requests which many believe there will be.
HOW CAN NTH GENERATION HELP?
Nth Generation is here to help in several ways. If your organization currently does not know its alignment to the CCPA, we can provide a very lightweight questionnaire that once filled out, allows us to clearly document how well the organization is aligned to the CCPA and recommendations for any remedial actions necessary. If you are seeking assistance with any of the CCPA components, we have several leading industry solutions that can help.
The CCPA is upon us, are you ready?
CLICK HERE to connect with one our security experts.
Jeromie Jackson Director of Security & Analytics