The California Consumer Privacy Act: What You Need to Know
Updated November 2019
In one of the most significant cybersecurity developments of recent years, the California Consumer Privacy Act (CCPA) is bringing the key concepts of Europe’s GDPR onto American shores.
When it takes effect in January 2020, the CCPA will create a set of obligations for businesses and rights for consumers, including new consent requirements, new mandated disclosures, a right to opt out of data collection, and a right to request deletion of personal information. The law also provides for new penalties when companies expose unencrypted personal information to theft or misuse. Sound familiar?
Of course it does. Once GDPR was on the books in Europe, it was only a matter of time before a similar law appeared in the US. The fact that a large percentage of American companies already have to comply with GDPR—because they do business in the EU—eliminated much of the political resistance that the CCPA would have met if it had been proposed a few years ago. And California, as the center of the US tech industry and the country’s pace-setter for tech law, was the natural place for such a law to appear. The Cambridge Analytica scandal (which is actually mentioned in the bill) sped up the process, and the CCPA was passed only a few days after being introduced.
So what happens now?
Like the GDPR before it, the CCPA has been the subject of intense debate and widespread uncertainty. Companies like Google and Facebook have advocated for changes to the law’s requirements and clarifications on how the law will be enforced. In October 2019, the state passed a collection of amendments to the law and issued a set of draft regulations that provide specific guidance on how companies can meet some of the law’s requirements.
As the remaining uncertainties get ironed out, other states will likely follow California’s example and pass similar laws of their own, bringing the US closer to a standard model of data protection.
With that in mind, here’s a look at some of the most significant aspects of the country’s newest cybersecurity law:
The CCPA applies to any company that collects or provides the personal information of California residents and meets one or more of the following criteria:
- Has $25 million or more in annual sales
- Buys, sells, or shares information on 50,000 or more individuals, households, or devices
- Derives more than half of its annual revenue from selling personal information
The CCPA creates a variety of new rights for California residents whose personal data is collected, processed, or sold by companies that are covered by the law:
- The right to request information about what types of data a company has collected, the purpose of collecting it, and the names of companies to whom the data was sold
- The right to opt out of data collection or sale
- The right to request deletion of personal data
Like the GDPR, the CCPA sets criteria for when consumers may exercise these rights, and circumstances under which companies are exempt from complying with consumer requests.
Also like the GDPR, the CCPA defines penalties that may be applied when companies expose personal information or otherwise fail to meet their privacy and security obligations. One unique aspect of the California law is that it sets specific dollar amounts that consumers can collect from companies in the event of a breach. A consumer can sue for between $100 and $750 without having to prove that they were actually harmed by a data breach, and can collect much more if they are able to demonstrate material harm.
Significantly (and once again in line with the GDPR), the CCPA only applies data breach sanctions if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data-level measures, it cannot be used by unauthorized parties, so consumers are left unharmed.
PKWARE Can Help
PKWARE understands that compliance is a complex challenge, requiring the efforts of multiple departments and multiple vendors. Our data compliance solutions are designed to meet a wide range of data protection requirements, while integrating with the rest of your organization’s IT and security ecosystem.
For organizations that need to comply with the California Consumer Privacy Act, PKWARE provides automated encryption and redaction technology to protect consumer information on laptops, desktops, servers, and beyond. PKWARE’s integrated data discovery and classification technology can also facilitate compliance with consumer requests for deletion or for copies of their own information, especially when data is located in documents, spreadsheets, or other forms of unstructured data.