In late June, 2018, California passed a consumer privacy act, AB 375, that could have more repercussions on U.S. companies than the European Union’s General Data Protection Regulation (GDPR) that went into effect this past spring. The California law doesn’t have some of GDPR’s most onerous requirements, such as the narrow 72-hour window in which a company must report a breach. In other respects, however, it goes even farther. The California Consumer Privacy Act (CCPA) takes a broader view than the GDPR of what constitutes private data. The challenge for security, then, is to locate and secure that private data.
What Is The CCPA?
AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Which Companies Does The CCPA Affect?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.
An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
What Happens if My Company Is Not in Compliance With the CCPA?
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. “If you think about how many records are affected in a breach, it really increases very quickly,” says Debra Farber, senior director for privacy strategy at BigID. Since the bill was put together and passed in just a week, it will probably see some amendments, she adds. “Things like the fine amounts are likely to change.”
There’s also another potential financial risk, Farber says. “The bill provides for an individual’s right to sue, for the first time,” she says. “And it allows class action lawsuits for damages.”
Again, there’s a 30-day window that starts when the consumers give written notice to a company that they believe their privacy rights have been violated. “If it’s not cured, and the attorney general declines to prosecute, then they can bring a class-action suit,” Farber says. “And it’s not just around breaches.”
For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt-out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can’t find out how their information has been collected or get copies of that information. “It can be around anything,” Farber says.