<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

What is the CCPA and Who Must Comply? The California Consumer Privacy Act Explained

down-arrow

Following the European Union's General Data Protection Regulation (GDPR) and falling in line with the privacy laws of Massachusetts, Vermont, Ohio, and many others, California's controversial new privacy law presents the opportunity for businesses to level up on privacy best practices. And some work must be done for those CISOs and IT leaders who help manage their business's security risk and privacy activities.

On June 28, the California Governor signed the California Consumer Privacy Act (CCPA) into law, and enforcement of the CCPA starts on January 1st, 2020. Like the GDPR deadline, there is growing interest in how to meet these requirements before the enforcement period begins. Similar to how businesses approach GDPR, organizations are forced to change their operations because of the associated fines and put more effort into protecting sensitive personal information.

Most CCPA requirements are disclosures and the discontinuation of selling California residents' PII - or personally identifiable information. The regulation outlines new standards for consumer data collection and consequences for businesses that fail to protect this data. Also included in the CCPA is a new set of rights that California consumers can exercise.

Who needs to comply with the California Consumer Privacy Act?

The CCPA defines a “business” as a for-profit entity that collects “consumer” (in this case, California residents') personal data and meets at least one of the following:

  1. The business annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
  2. The business has an annual gross revenue of over $25 million.
  3. The business derives 50% or more of its annual revenue from selling consumer personal information.

What are the penalties associated with the California Consumer Privacy Act?

The CCPA applies to any business that collects data from California residents — regardless of your headquarters location. As for fines and enforcement, the maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent will remain subject to the preset $2,500 maximum fine. The largest financial impact on businesses is the CCPA’s provisioning of the right of consumers to bring lawsuits to light. These situations may arise from instances where their "non-encrypted or non-redacted personal information" is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more. 

How are the lawsuits filed?

A CCPA plaintiff must inform the California Attorney General of the situation within 30 days of filing a CCPA lawsuit. The California Attorney General is the sole individual with the power to delay or block such litigation under the CCPA. Ultimately, a small company can be impacted dramatically by the CCPA penalties. In contrast, a large company will see effects but may not be as harmful to business operations as a start-up’s result.

More impactful for many businesses than the potential fines associated with the CCPA are the positive effects on the business’s marketing programs and efforts to build consumer trust.

You may also like

Benchmarking Your Cyber Risk ...
on September 25, 2023

Benchmarking your organization against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable step towards improving cybersecurity ...

Security Posture Management: The ...
on September 27, 2023

Cybersecurity is a complex and dynamic field, and there are several elements that security teams must continuously monitor and manage to protect an organization's security ...

Stay One Step Ahead: A Guide to ...
on September 1, 2023

Cyber risk monitoring aims to proactively manage and mitigate cyber risk to protect an organization’s valuable assets and sensitive data. This process involves regularly ...

How to Create a Cybersecurity Risk ...
on August 22, 2023

For years, the discourse in IT has been centered around cybersecurity. Yet, with the volume of cyber attacks increasing, professionals have developed a more holistic approach to ...

How to Mitigate Cyber Risks in ...
on August 18, 2023

Supply chains are complex networks of organizations, people, processes, information, and resources, all collaborating to deliver goods and services to end consumers. Due to their ...

Conducting a Cyber Risk ...
on August 11, 2023

Cyber risk has become increasingly pervasive in almost every industry. From the new SEC cyber regulations to industry standards like the NIST CSF and HIPAA, regulatory bodies are ...