<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

What is the CCPA and Who Must Comply? The California Consumer Privacy Act Explained


Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.

On June 28, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA starts January 1st, 2020. Not unlike the GDPR deadline, there is growing interest in how to meet these requirements before the enforcement period begins, and similar to how businesses approached the GDPR, organizations are being forced to change how they operate because of it - and because of the fines associated with it.

Most of the CCPA requirements are around disclosures and ultimately the discontinuation of selling California residents' PII - or personally identifiable information. The regulation outlines new standards for consumer data collection, as well as consequences for businesses that fail to protect this data. Also included in the CCPA is a new set of rights that California consumers can exercise.

So who needs to comply with the California Consumer Privacy Act? The CCPA defines a “business” as a for-profit entity that collects “consumer” (in this case California residents') personal data and meets at least one of the following:

  1. The business annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices.
  2. The business has an annual gross revenue of over $25 million.
  3. The business derives 50% or more of its annual revenue from selling consumer personal information.

What are the penalties associated with the California Consumer privacy Act? The CCPA applies to any business that collects data from California residents — regardless of where your business is headquartered. As for fines and enforcement, the maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine. The largest financial impact on businesses is the CCPA’s provisioning of the right of consumers to bring lawsuits to light. These situations may arise from instances where their "non-encrypted or non-redacted personal information" is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more. 

How are the lawsuits filed? A CCPA plaintiff is obligated to inform the California Attorney General of the situation within 30 days of filing a CCPA lawsuit. The California Attorney General is the sole individual who has the power to delay or block such individual litigation under the CCPA. Ultimately, a small company can be impacted greatly from the CCPA penalties, while a large company will see effects but it may not be as harmful to business operations as a start up’s result, for example.

More impactful for many businesses than the potential fines associated with the CCPA are the positive effects on the business’s marketing programs and efforts to build consumer trust.

Want an overview of how to approach the CCPA requirements? Watch CyberSaint’s Chief Product Officer provide a step by step overview in our recent webinar.


You may also like

Zero Trust Security – A Quick Guide
on January 24, 2022

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is ...

CyberStrong December Update
on January 20, 2022

December Product Update Crosswalks, graphics, and filters - Oh my! 🎵♪🎵 New crosswalks on frameworks and labels on graphics Helpful team filters and alerts on late status Clear ...

Kyndall Elliott
CEO's - Do You Know Where That ...
on January 3, 2022

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information ...

Jerry Layden
CyberSaint's Response to the Log4j ...
on December 23, 2021

Members of the CyberSaint Community, My name is Padraic O’Reilly, the Chief Product Officer of CyberSaint. In light of the impacts of the Log4j vulnerability on the greater ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on December 17, 2021

With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an ...

Jerry Layden
The Guide To A CEOs First ...
on December 16, 2021

One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that ...

Jerry Layden