What do you need to know about the CCPA?!

 

Untitled design.png

While the European Union’s General Data Protection Regulation (“GDPR”) has received a lot of buzz lately, it is only the tip of the iceberg for what is to come in the United States.  The United States has yet to adopt as stringent standards as the GDPR, but it is not stopping certain states from taking action in this space to protect its citizens.

Not surprisingly, California as one of the more progressive states in the union, has stepped up with the recent passage of AB 375, also known as the California Consumer Privacy Act (“CCPA”).  Going into effect January 1, 2020, the CCPA does not contain some of GDPR’s most onerous requirements (i.e. 72 hour window to report a breach),however,  it does broaden the definition of Personal Information and will apply to numerous companies in the United States, not just those in California.

What does the CCPA do?

The CCPA is designed to protect individuals Personal Information by forcing companies to tell them what information they have collected, and what they have done with it.

What companies does the CCPA apply to?

 If a company does business in California, has customers, or even potential customers in California, and (i) their annual gross revenue is more than $25 million, (ii) their organization receives, shares or sells personal information of more than 50,000 individuals or (iii) their company earns 50% or more of its annual revenue from selling personal information, they are subject to the CCPA.

What is “Personal Information” under the CCPA?

Under the CCPA, Personal Information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.  This extremely broad definition includes common online information, like geolocation, IP address, and email address.  Of course, more sensitive information is also included here (social security number, bank information, health information, etc..).

 How will I know if a company I am working with is in compliance with the CCPA?

 If you are working with a company that meets the CCPA requirements, then that company is required to have a clearly visible footer on their website offering consumers an option to opt out of data  sharing.  If a company is subject to the CCPA, and does not have this footer on their site, then they are in breach of the CCPA.

 What does this mean for your individual rights?

 The CCPA gives individuals a rare opportunity to sue a company for failing to disclose the use of their personal information, as well as a comprehensive list of all the information the company has saved on the individual.  It is not necessary that a breach of the individuals personal information occur in order for an individual to bring a claim under the CCPA.

 How does an individual bring a claim under the CCPA?

In order to pursue your rights under the CCPA  an individual must provide a business with a 30 day notice (opportunity) for the business to cure the breach.  If the business does not comply, then the individual has the right to pursue further legal action. 

 How far back will the CCPA cover personal information?

 The CCPA covers personal information received by a company  starting on January 1, 2019.  However, companies are not required to be CCPA compliant until January 1, 2020.  This means that an individual can request a copy of all personal information received by a company as far back as twelve months from the inaction of the CCPA.

 I’m not in California, how does this affect me?

 That depends.  If you are a business that reaches into California (even if you have an e-commerce site), you may be subject to the CCPA requirements.  See “What companies does the CCPA apply to” above. However, if you are not a citizen of California, nor a company in California, you can expect to see similar legislation being passed down in your state in the near future.  California has been known to be a catalyst for change across the U.S., and you can expect this to ring true for your personal information as well.  For instance, Nevada and Maine have recently enacted online privacy laws. Similarly, 7 other states have enacted laws regarding cybersecurity, data security and data breach notification.  We can expect to see much more oversight in the near future.

Are you ready to handle your website privacy? Are you worried that you might be violating privacy laws? Reach out to courtney@cenglishlaw.com to schedule your business audit!

Courtney Englishccpa, website, privacy, california, business, california consumer, personal information, hacking