June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law as a means to protect the data rights of California residents. While this act is monumental, most individuals are still unaware of the law and the impact it carries across the globe.
With the law going into effect on January 1st, 2020, businesses need to immediately understand the broad scope of the CCPA compliance umbrella, the risk of not being CCPA compliant, and the long-term effects of this law.
CCPA Compliance Qualifications:
You must be CCPA compliant if your business conducts operations involving the collection of data of California residents and meets one of the following criteria:
- The company in question handles the data of a minimum of 50,000 clients
- The company possesses an Annual Gross Revenue of more than $25 million
- At least half of the company’s revenue is derived from the selling of personal information
Under these circumstances, CCPA not only applies to companies domestic to the US, but also all other companies around the world that have operations involving California residents. It is similar to the European Union’s GDPR guidelines; both do not discriminate based off of a company’s physical location.
What’s the risk to my business if I’m not CCPA compliant?
CCPA penalties and fines only apply to companies if a data breach has occurred after January 1st, 2020. Non-compliant companies aren’t punished until there is a breach incident (as opposed to GDPR, under which the EU can fine a business simply for being noncompliant).
Once a breach occurs, the CCPA fines are assigned to non-compliant companies on a per violation basis. The maximum fine a business can face is $7,500.00 for a single violation. However, the State of California can fine a company for an unlimited amount of violations.
Another important aspect of the CCPA is the ability for consumers to take legal action against a non-compliant business. A California resident is lawfully allowed to collect anywhere from $100.00 — $750.00 without needing to prove he or she was directly affected by the data breach. Given the size of California’s population, a company could face shelling out an immense sum of money if they are not in CCPA compliance.
What are the long-term effects of CCPA? How will CCPA affect me in the future?
If a company is hacked and is not CCPA compliant, it could owe the state and its residents an exceedingly large amount of money. Therefore, for financial reasons, it’s important for business leadership to take the protection of data seriously.
Because of the vast sums of money which may potentially be involved, the state of California could profit greatly from the CCPA. After other states see how California is profiting, they may begin to adapt similar privacy laws. While the motivation of these laws should be privacy protection, the real motivator for many states will likely be the potential profit from violations.
Since other states are likely to adopt similar legislation, it’s important that businesses become compliant now, before they face staggering fees from a data breach.
Although CCPA might not directly affect you at the moment, data privacy laws will affect the majority of companies in the future. Everyone should prepare for CCPA and any other future legislation by implementing personal data security mechanisms as soon as possible.
If you need any assistance in choosing, implementing, or managing data security solutions (or a CCPA compliance audit, for that matter) please reach out to the Dark Rhino Security team.