Only 46% of employees in the United States had heard of the California Consumer Privacy Act (CCPA) Assembly Bill (AB) 375 as of mid-2019, according to the Eye on Privacy Report. That percentage is unnerving, considering the CCPA could have greater repercussions for U.S. companies than the wide-reaching European Union’s General Data Protection Regulation (GDPR). With the CCPA in effect as of January 2020, what does your company need to know in order to ensure compliance?

WHAT IS CCPA?

Like GDPR, CCPA is designed to give consumers more control over their personal information and privacy. The legislation is complex, but CCPA consumer rights can be broken down into a handful of broad categories:

Consumers have the right to:

• Know what personal information has been collected by a company, how the company acquired that data, how the company plans to use that data, and who the company will share the data with
• Prevent companies from selling personal information to third parties
• Ask companies to get rid of personal information

Business must:

• Let consumers know the business intends to collect personal information
• Charge consumers different prices or refuse service if consumers want to exercise their CCPA rights

WHO MUST COMPLY?

Even if your business doesn’t reside in California, you must comply with CCPA if your business meets the following criteria:

• Annual gross revenue of more than $25 million
• Buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices
• Derive 50% or more annual revenue from selling the personal information of California residents

The act has a broad definition of personal information as data that: “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This data includes name, address, email address, SSN, medical information, browsing history, biometric information, search history, geolocation information, account names, and more.

WHAT HAPPENS TO NON-COMPLIANT COMPANIES?

Businesses that do not comply with the CCPA face enforcement from the California Attorney General’s office, seeking $2,500 for each violation or $7,500 for each intentional violation. How violation is being defined remains unclear—is it applied per consumer, per time period, etc.? The act also enables consumers to seek statutory damages of $100-$750 per consumer, per incident, for data breaches and violations.

With the ambiguity of the wording of this privacy legislation, a lot remains unclear. However, the need for clear and documented security and personal information privacy protection processes and implementations is concrete. With well defined and closely followed data security protocols in place, companies can not only protect consumers and boost their brand trust, but also ensure compliance with CCPA, GDPR, and the host of security and privacy regulations already in place and soon to come.