A little more than a month after the EU’s General Data Protection Regulation (GDPR) took effect, businesses have a new data privacy and security law to worry about: The California Consumer Privacy Act of 2018 (CCPA), which was signed into law on June 28.
The law, which takes effect on Jan. 1, 2020, gives California consumers broad personal data protections. Consumers will have the right to ask businesses to disclose all personal information they collect about them free of charge, as well as the sources of that information, the business purposes for collecting it, and the types of third parties with which that information is shared.
For more on CCPA compliance, see How to Comply with CCPA
“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used,” the CCPA states.
Consumers will have the right to request deletion of their personal information, as well as the identities of all third parties to which their information has been sold or disclosed. Consumers will also have the right to opt out of the sale of their personal information, with businesses prohibited from discriminating against them for exercising that right.
CCPA limitations and penalties
The CCPA applies only to businesses that buy or sell 50,000 or more consumers’ personal information each year, derive 50 percent of more of their annual revenue from selling consumers’ personal information, or have annual gross revenues in excess of $25 million.
Any consumer whose unencrypted or unredacted personal information is stolen? or exposed due to a “violation of the duty to implement and maintain reasonable security procedures and practices” will be entitled to damages of between $100 and $750 or actual damages (whichever is greater), as well as injunctive or declaratory relief.
Additionally, any person, business or service provider that intentionally violates the Act may be liable for a civil penalty of up to $7,500 per violation.
Commvault director of solutions Patrick McGrath told eSecurity Planet that organizations should respond to the new law by minimizing their exposure in handling personal data, keeping only the data needed to service direct business and legal needs.
“With the rapid adoption of cloud and SaaS application partners, data is becoming further distributed and it demands proper data protection coverage,” McGrath said. “Even if breached data was not stored on-premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures.”
GDPR compliance a good start, but…
Imperva CTO Terry Ray told eSecurity Planet the CCPA shouldn’t place a particularly heavy burden on most companies. “Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements,” he said.
“Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA,” Ray added.
Still, there are differences. In an IAPP blog post, Baker McKenzie partner Lothar Determann warned that GDPR compliance may not be enough to ensure compliance with CCPA.
The California law, Determann noted, defines personal data more broadly, including information pertaining to households and devices; requires specific disclosures and communication channels that aren’t required by GDPR; contains different exceptions to the right to have personal data deleted; establishes broader rights to access personal data; and imposes tighter restrictions on data sharing for commercial purposes.
“Companies around the world will need to start working right away to assess the California Consumer Privacy Act’s impact on their business, systems and data handling practices,” Determann wrote. “A year and a half is not a lot of time, as anyone who has been working on EU GDPR compliance knows well.”