After the rollout of the European Union’s (EU) General Data Protection Regulation (GDRP) on May 25th and companies scrambled, and are still scrambling, to meet the data privacy compliance requirements, a new data privacy law was passed in the U.S.
Just a little over a month after the GDPR monetary and audit penalties went into effect, on June 28th, California lawmakers passed one of the toughest U.S. data privacy laws to date and will go into effect on January 1st, 2020.
Given the impact of California on the global economy as the 5th largest, behind only the United States as a whole, China, Japan and Germany, many global companies have some involvement with California residents and businesses so will need to comply with the new law.
Who Does This New Law Apply To?
The Consumers include all permanent residents of the State of California and even applies to those residents if they leave the state with devices that captured data in the state.
For Businesses, this applies to you if you have a for-profit business, including a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity, that does business in the State of California and that falls into one of these categories:
Annual gross revenue of more than $25 million;
Process the personal information of 50,000 or more California residents, households, or devices per year. The definition of a “device” is any physical object that is capable of connecting to the Internet or a device, such as a USB, mobile phone, or other information gathering device;
Derive at least 50 percent of your gross revenue by selling personal information;
Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company; or
You are a Data Service Provider.
What Are The Penalties?
The penalties for CCPA non-compliance are no where near the potential company devastating penalties of the GDPR which are fines of up to €20 million (about $24 million USD) or 4 percent of a company’s annual global revenue, whichever is greater.
CCPA non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or data service provider. Consumers can claim up to $750 per incident in damages if the business or data service provider does not rectify the issues. All legal actions are reviewed and enforced by the California Attorney General.
Why Another Data Compliance Law?
There are two reasons why we have the GDPR, CCPA, HIPPA, and many other laws that address data privacy.
One, is that data breaches are becoming commonplace and data loss poses substantial risk and exposure for the consumer and businesses.
Secondly, simply, the consumer should have certain controls and privacy over their own data.
To overcome resistance of yet another data compliance law in your organization, put a positive spin on this:
Take this opportunity to reduce costly cyber security attacks, identify and mitigate risks and close the security gaps.
View the data privacy laws as a more effective way for your organization to manage, process, and protect personal data and improve the end user/customer experience.
Use the data privacy laws as an opportunity to reduce cyber risks of loss of data, infiltration costs, possible fines, audit and litigation costs, and damage to reputation.
Your organization’s reputation is critical, and in the event of a security breach or a lack of data security, broken client trust moves customers to the competition.
CCPA will come into effect on January 1, 2020, so now is the time to assess your company’s exposure and start the road to data privacy compliance.